Educause Security Discussion mailing list archives
Re: E-mail Privacy
From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 25 May 2004 16:11:21 -0500
Gary Flynn wrote:
Glenn Leavell wrote:Many e-mail clients have a setting to disallow the viewing/loading of remote images, which should neutralize the didtheyreadit service. For example, I know that Mozilla Thunderbird, Eudora, and Squirrelmail all have this option.I've been using that feature for some time in both Netscape and Mozilla and felt somewhat comfortable until a couple days ago. Then my computer showed up in an IDP report accessing a web site trying an IE exploit. I backtracked through my messages and found a piece of SPAM that caused my Mozilla client to access the web site every time the message was displayed. The message contained: <object-disabled data=3D"http://&#= 119;ww.fatbonusc&#= 97;sino.com/pag= 01;.php"> without the "-disabled" in the object tag Its just an encoded URL but my Mozilla client followed it immediately when the message was displayed. Sigh. More disillusionment. :) I don't see a setting specifically disabling HTML mail rendering of received messages in mozilla, which, I guess would have prevented it.
Gary, Wow, nice find! It looks like the Mozilla engineers took some programming tips from the folks at Redmond with that bug. <rant> When will people realize that filtering the bad just doesn't work? You need to define what to allow, and allow only that. Otherwise, someone will find a way around your filter. </rant> (sorry, I'm on a roll I guess) Sigh. Perhaps I'll go back to using Outlook Express 6 at work (gasp!). At least it lets me display all E-mail as plain text. Or I can read all of my E-mail in Pine on a FreeBSD box.... Thanks much for reporting that. That certainly changes things. Brian (feeling at least remotely comfortable still, as at least his default browser is not IE) -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "Friends don't send friends HTML E-mail" ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- E-mail Privacy Javier Torner (May 25)
- <Possible follow-ups>
- Re: E-mail Privacy Herrera Reyna Omar (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Gary Flynn (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Dan Oachs (May 25)