Re: HTML email "bug", of sorts.

[Peter W <peterw () usa net>]

On Mon, Aug 20, 2001 at 07:39:24PM -0500, Mark Tinberg wrote:

> I think that Walter hinted at another scheme that hasn't yet been
> explicitly mentioned.  By making a request like the one below the spammer
> can use their DNS server logs to track messages, even if all TCP access is
> blocked by a personal firewall.

Yep, nice point.

> The answer, as stated below, is that any email client that does HTML mail
> should be highly restricted on what tags it interprets (no "active"
> content) and should not display anything that didn't come included with
> the message.  Possibly there should be a special DTD just for this
> purpose.

See RFC 2392, which describes how rich messages (like HTML) can refer to 
other objects included with the same multipart message. There may still be 
vulnerabilities if the attachment is hostile, especially if your rendering 
engine (I'm thinking about Internet Explod^Hrer here) ignores the MIME 
type specified in the message headers. But at least restricting the message 
to included content via RFC 2392 allows attractive messages with no web 
bug, Cross-Site Request Forgery, distributed URL DoS, or other wickedness.

The ZoneAlarm-type tricks are neat; I assume those folks don't often use
webmail applications like acmemail/suirrelmail/hotmail, where restricting 
the message to cid:/RFC 2392 references is about the only sane approach.

-Peter