Bugtraq mailing list archives
Re: HTML email "bug", of sorts.
From: Peter W <peterw () usa net>
Date: Tue, 21 Aug 2001 06:39:12 -0400
On Mon, Aug 20, 2001 at 07:39:24PM -0500, Mark Tinberg wrote:
I think that Walter hinted at another scheme that hasn't yet been explicitly mentioned. By making a request like the one below the spammer can use their DNS server logs to track messages, even if all TCP access is blocked by a personal firewall.
Yep, nice point.
The answer, as stated below, is that any email client that does HTML mail should be highly restricted on what tags it interprets (no "active" content) and should not display anything that didn't come included with the message. Possibly there should be a special DTD just for this purpose.
See RFC 2392, which describes how rich messages (like HTML) can refer to other objects included with the same multipart message. There may still be vulnerabilities if the attachment is hostile, especially if your rendering engine (I'm thinking about Internet Explod^Hrer here) ignores the MIME type specified in the message headers. But at least restricting the message to included content via RFC 2392 allows attractive messages with no web bug, Cross-Site Request Forgery, distributed URL DoS, or other wickedness. The ZoneAlarm-type tricks are neat; I assume those folks don't often use webmail applications like acmemail/suirrelmail/hotmail, where restricting the message to cid:/RFC 2392 references is about the only sane approach. -Peter
Current thread:
- Re: HTML email "bug", of sorts. thomas . rowe (Aug 19)
- Re: HTML email "bug", of sorts. Thor (Aug 19)
- RE: HTML email "bug", of sorts. David LeBlanc (Aug 20)
- <Possible follow-ups>
- Re: HTML email "bug", of sorts. james_kelley (Aug 19)
- Re: HTML email "bug", of sorts. Alex Prestin (Aug 19)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re[2]: HTML email "bug", of sorts. Mark Tinberg (Aug 20)
- Re: HTML email "bug", of sorts. Peter W (Aug 21)
- Re[2]: HTML email "bug", of sorts. Walter Hop (Aug 20)
- Re: HTML email "bug", of sorts. Bear Giles (Aug 20)
- Re: HTML email "bug", of sorts. Sean Straw / PSE (Aug 21)
- Re: HTML email "bug", of sorts. Curt Sampson (Aug 21)
- RE: HTML email "bug", of sorts. Ben Yu (Aug 20)
- Re: HTML email "bug", of sorts. Jeffrey W. Dronenburg (Aug 21)