Re: HTML email "bug", of sorts.

["Jeffrey W. Dronenburg" <dronenjw () us hsanet net>]

Hi Bugtraq,

I've been following this particular thread with a great deal of interest as
it directly relates to my present academic course work.  Although the focus
of the debate thus far has been centered around spam, I think there is a
greater ethical dilemma posed by this "bug".

I never took the time to look through the HTML code of e-mails that I
normally receive and have subscribed to, but this thread opened my eyes.  I
was very surprised to see an img src tag with an invisible hyperlinked gif
at the bottom of *every* HTML e-mail I've received.  Keep in mind these are
"legitimate e-mails" received from news subscriptions; a result of shopping
online and filing a profile; and registering software.  Here are some
highlights:

_____=====***=====_____

The New York Times on the Web Headlines newsletter that just recently went
to HTML format:
<IMG SRC="http://images2.nytimes.com/RealMedia/ads/adstream_nx.cgi/email.ny
times.com/todaysheadlines/html@Bottom1">
</BODY>
</HTML>

***Privacy policy at http://www.nytimes.com/info/help/privacy.html does a
fairly decent job of explaining that they use RealMedia as an advertising
server.  I would presume that is what this link is for.

_____=====***=====_____

Staples.com at the bottom of their HTML ads sent to all online shoppers:
<img src="http://od.ed10.net/od/V6P3/H08/EK5O6F";>[[V6P3-H08-EK5O6F-H]]27689
0</body>
</html>

***Privacy policy at http://www.staples.com/help/default.asp?area=privacy
doesn't say
anything about why they are collecting information from the e-mails they
send out, or how it's being used.  At least Staples has the decency to put
some text at the bottom after the tag so that you know where it is.

_____=====***=====_____

The Learning Company Family Focus Newsletter (a.k.a. advertisement)
resulting from product registration:
<img
src="http://info.learningco.com/images/blankpixel.gif/Key=9562.Ftzu.DzF2lN";>
</HTML>

***Privacy policy at http://www.learningco.com/Info.asp?Info=1805 doesn't
say anything about why they are collecting information from the e-mails they
send out, or how it's being used.  I like the name of the gif -- it says it
all!

_____=====***=====_____

<!-- on soap box -->
The point is that this coding technique is being widely used to harvest
information from subscribers probably for demographic or similar purposes --
it depends upon the source.  The problem is that companies aren't telling
their customers/subscribers in a direct manner that they are doing this.
One must first know and understand the technology, then go and seek out a
privacy policy, and maybe -- just maybe -- find an answer.  More often than
not, the privacy
policy is buried in the middle of a lengthy legal statement for COPPA
compliance to keep the EPIC and the ACLU off their backs.  If companies are
going to use this technique for "legitimate" purposes (very loosely
defined), they should be upfront about it and let their
customers know.  If someone/some company is going to track my shopping
habits and datamine my e-mail, I would appreciate the courtesy of them
letting me know that they're digging into my private life before they do.
This much can be done, and should be done.
<!-- /off soap box -->

There... I feel better.  Venting complete.

Jeffrey W. Dronenburg, Sr.
MIS Major, Univ. of Maryland, Univ. College
Alpha Sigma Lambda


-----Original Message-----
From: Alex Prestin [mailto:wakko () bitey net]
Sent: Saturday, August 18, 2001 3:17 AM
To: bugtraq () securityfocus com
Subject: HTML email "bug", of sorts.



I'm not sure this is the proper forum for "conspiracy-theory" bugs, but I
figured this would be of interest to anyone trying to prevent the names of
valid email accounts they either own or administer from being verified and
added to "official" known-good spam rosters.

You may have heard of "web-bugs" before.  Or you may not have.  For the
benefit of the less-experienced, here's what they are and what they do:

"Web bugs" are small, 1x1 (or similar-sized) transparent GIF images which
can be used to track the movement of a user around the web.  About 1 in 10
sites use them.  Their effectiveness at this task is somewhat questionable,
but they can be used more effectively for a different task:

I've started noticing something very disturbing in the HTML in spam mails
recently.  I've started seeing web bugs.  Below is an example from a recent
email:

<img src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued)
3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakko () bitey net" width="1" height="1">

See it?  A web bug.  If I opened this mail in an HTML-capable browser, that
little image would've popped up and I would've been none the wiser.  My
address would also have been verified by the sender, and stored in a large
database of valid recipients.

So, anyone have any idea of how to deal with this latest little spammer toy?
Is there any effective way to filter out web bugs without adversely
affecting the delivery intact of legitimate messages?  Could software change
to at least warn viewers that this HTML viewer is accessing offsite content?
Is it worth doing?

Anyone?  Bueller?

- A.P.