Bugtraq mailing list archives
Re[2]: HTML email "bug", of sorts.
From: Walter Hop <walter () binity com>
Date: Mon, 20 Aug 2001 11:26:02 +0200
1) how do you determine what's legitimate HTML email and what isn't? Can pattern-matching of web bugs be as easy as "*.gif\?.*" or something similar?
This is ineffective; a spammer _could_ use a CGI script in the form of http://www.spammer.com/transparent.gif?4747683621, but if these get blocked by a popular mailer, they will just move on to other schemes, like: http://www.spammer.com/validate/4747683621.html http://www.spammer.com/validate/4747683621/ http://4747683621.spammer.com/ http://4747683621.spammer.com:25/ This will make filtering of HTML content useless. Furthermore, the html IMG tag is not the only "dangerous" tag in this aspect. There are many more other tags to filter, which would require considerable effort on the part of mailer developers. [The usual scenario for this is that even years later, holes will be found.] Some mailers like "The Bat" have their own HTML engine that refuses to do HTTP requests at all. This seems the best solution. Disabling HTTP requests totally will certainly break some legitimate HTML email, but not to the point where it is totally unreadable. Most HTML emails (stationery etc.) only refer to images enclosed with the message, so Your Client who likes to write emails with nice green leaves in the borders will not be disappointed by this feature. For other HTML mailers like Outlook and Netscape, an application-level firewall (PGP Corporate Desktop, ZoneAlarm, etc.) is the only way to go. The best thing is not to allow the mailer any access to the network apart from the mail protocol ports on known pop3/imap/smtp-servers used. As shown in example URL 4 above, just blocking access to port 80 or any non-mail port provides only a false sense of security. -- Walter Hop <walter () binity com> | +31 6 24290808 | Finger for public key
Current thread:
- Re: HTML email "bug", of sorts. thomas . rowe (Aug 19)
- Re: HTML email "bug", of sorts. Thor (Aug 19)
- RE: HTML email "bug", of sorts. David LeBlanc (Aug 20)
- <Possible follow-ups>
- Re: HTML email "bug", of sorts. james_kelley (Aug 19)
- Re: HTML email "bug", of sorts. Alex Prestin (Aug 19)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re[2]: HTML email "bug", of sorts. Mark Tinberg (Aug 20)
- Re: HTML email "bug", of sorts. Peter W (Aug 21)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re: HTML email "bug", of sorts. Bear Giles (Aug 20)
- Re: HTML email "bug", of sorts. Sean Straw / PSE (Aug 21)
- Re: HTML email "bug", of sorts. Curt Sampson (Aug 21)
- RE: HTML email "bug", of sorts. Ben Yu (Aug 20)
- Re: HTML email "bug", of sorts. Jeffrey W. Dronenburg (Aug 21)