Honeypots mailing list archives
RE: How do web beacons work?
From: "Bill Ward" <Bill.Ward () ealaddin com>
Date: Fri, 7 Jan 2005 01:57:28 -0600
Ali H wrote: Sounds very acceptable, but how would the spammers know if that email is valid? my vista is that when spammers send an email(s) to victims, they won't know if that deception had a successful reception!! Because normally the deception that was sent was created from invalid sources! right? ------ Ans: Your second question is not part of the IMG tag question. This is a way to count the NDRs and subtract them from your full list. The spammers are not looking for you to return a mail message, once you download a messages images then the end server knows that a request is from you. The spammers have not really counted on an NDR to prove that your address is invalid for many reasons. Lets start at the beginning. 1. All type for Web server, IIS, Apache, etc will capture the server reference (What is after the ?) in a log file. 2. A spammer sends out thousands of messages a. The first has a server reference of a000001 b. The second has a server reference of a000002 c. ... d. The ninth has a server reference of a000009 3. When the server adds a server reference it keeps track of who the message was send to. a. a000001=person () example com b. a000002=person2 () example2 net c. a000009=you () yourdomain com 4. You are the ninth person. You receive an email that has an embedded HTML img tag that has a web beacon. a. Like the following (This is a real URL for a an email that I got, but the ?xxxxxx has been changed) http://i.i.com.com/cnwk.1d/i/ne/hdrs/alerthed4.gif?a000009 b. This is the section out of my email. <td width="612" height="51" bgcolor="#e5e5e5" colspan="2" <img src="http://i.i.com.com/cnwk.1d/i/ne/hdrs/alerthed4.gif" alt="" width="612" height="51" border="0"<br </td</tr 5. When you view the email you receive the image in your email viewer, and you don't know any different. 6. The web server records that image alerthed4.gif was requested from a000009 7. You are now a known live email address. 8. If the email never requests the image or if the server reference is stripped off them the spammer does not know that you viewed the email, and does not know if your email address is a live address. BTW if you do download the images, the server could also capture your IP address. Then if you click on the links they can then track your habits while your visiting there site. ----- Original Message ----- From: "Bill Ward" <Bill.Ward () ealaddin com To: <honeypots () securityfocus com Sent: Thursday, January 06, 2005 3:55 PM Subject: RE: How do web beacons work? I web beacon is a simple way of a tracker being placed in a URL. For example www.example.com/image.gif?43234h2 As we all know the ? divides the Server reference, form the server data so effectively your say get image www.example.com/image.gif and pass along this piece of data 43234h2 This is a common technique used by spammers is to create an HTML formatted email that includes a cookie. When the message is loaded in the viewing page or opened, then the images are downloaded. This allows the spammer to receive a confirmation (a Web Beacon) from the recipient upon viewing the Spam message. By keeping a database the spammer knows that 43234h2 = you () example com. The spammer now knows that this email address is valid and can continue to send more Spam. Respectfully, William D. Ward Western Region Sales Engineer eSafe division or Aladdin Knowledge Systems ---Original Message----- From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de] Sent: Thursday, January 06, 2005 9:04 AM To: honeypots () securityfocus com Subject: Re: How do web beacons work? Lance Spitzner wrote: Okay, what exactly is a web beacon? Its sounds kinda like a honeytoken, but I've never heard of the term before. Now that I did a google, looks like quite a few are using them to track users. What exactly is a 'web beacon' and how does it technically work?
Current thread:
- How do web beacons work? Lance Spitzner (Jan 06)
- Re: How do web beacons work? Thorsten Holz (Jan 06)
- Re: How do web beacons work? William Salusky (Jan 06)
- Re: How do web beacons work? MrDemeanour (Jan 06)
- Re: How do web beacons work? Michal Zalewski (Jan 06)
- <Possible follow-ups>
- RE: How do web beacons work? Bill Ward (Jan 06)
- RE: How do web beacons work? Bill Ward (Jan 07)