RE: How do web beacons work?

["Bill Ward" <Bill.Ward () ealaddin com>]

Ali H wrote:
Sounds very acceptable, but how would the spammers know if that email is
valid? 

my vista is that when spammers send an email(s) to victims, they won't
know if that deception had a successful reception!! Because normally the
deception that was sent was created from invalid sources! right?


------
Ans:

Your second question is not part of the IMG tag question.  This is a way
to count the NDRs and subtract them from your full list.  The spammers
are not looking for you to return a mail message, once you download a
messages images then the end server knows that a request is from you.
The spammers have not really counted on an NDR to prove that your
address is invalid for many reasons.


Lets start at the beginning. 

1. All type for Web server, IIS, Apache, etc will capture the server
reference (What is after the ?) in a log file.

2. A spammer sends out thousands of messages
        a. The first has a server reference of a000001
        b. The second has a server reference of a000002
        c. ...
        d. The ninth has a server reference of a000009

3. When the server adds a server reference it keeps track of who the
message was send to.

        a. a000001=person () example com
        b. a000002=person2 () example2 net
        c. a000009=you () yourdomain com

4. You are the ninth person.  You receive an email that has an embedded
HTML img tag that has a web beacon.

        a. Like the following (This is a real URL for a an email that I
got, but the ?xxxxxx has been changed)
    http://i.i.com.com/cnwk.1d/i/ne/hdrs/alerthed4.gif?a000009
        
        b. This is the section out of my email.
                <td width="612" height="51" bgcolor="#e5e5e5"
colspan="2"
            <img
src="http://i.i.com.com/cnwk.1d/i/ne/hdrs/alerthed4.gif"; alt=""
width="612" height="51" border="0"<br
                </td</tr

5. When you view the email you receive the image in your email viewer,
and you don't know any different.

6. The web server records that image alerthed4.gif was requested from
a000009

7. You are now a known live email address.

8. If the email never requests the image or if the server reference is
stripped off them the spammer does not know that you viewed the email,
and does not know if your email address is a live address.


BTW if you do download the images, the server could also capture your IP
address.  Then if you click on the links they can then track your habits
while your visiting there site. 
    
    




 ----- Original Message -----
 From: "Bill Ward" <Bill.Ward () ealaddin com
 To: <honeypots () securityfocus com
 Sent: Thursday, January 06, 2005 3:55 PM
 Subject: RE: How do web beacons work?
 
 
 I web beacon is a simple way of a tracker being placed in a URL.
 
 For example
 www.example.com/image.gif?43234h2
 As we all know the ? divides the Server reference, form the server data
 so effectively your say get image www.example.com/image.gif and pass
 along this piece of data 43234h2
 
 This is a common technique used by spammers is to create an HTML
 formatted email that includes a cookie.
 
 When the message is loaded in the viewing page or opened, then the
 images are downloaded.  This allows the spammer to receive a
 confirmation (a Web Beacon) from the recipient upon viewing the Spam
 message.
 
 By keeping a database the spammer knows that 43234h2 = you () example com.
 The spammer now knows that this email address is valid and can continue
 to send more Spam.
 
 
 Respectfully,
 William D. Ward
 Western Region Sales Engineer
 eSafe division or Aladdin Knowledge Systems
 
 
 ---Original Message-----
  From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de]
  Sent: Thursday, January 06, 2005 9:04 AM
  To: honeypots () securityfocus com
  Subject: Re: How do web beacons work?
 
  Lance Spitzner wrote:
   Okay, what exactly is a web beacon?  Its sounds kinda like a
 honeytoken,
   but I've never heard of the term before.  Now that I did a google,
 looks
   like quite a few are using them to track users.  What exactly is a
 'web
   beacon' and how does it technically work?