Educause Security Discussion mailing list archives

Re: E-mail Privacy

From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 25 May 2004 16:11:21 -0500

Gary Flynn wrote:

Glenn Leavell wrote:

Many e-mail clients have a setting to disallow the viewing/loading of
remote images, which should neutralize the didtheyreadit service.  For
example, I know that Mozilla Thunderbird, Eudora, and Squirrelmail all
have
this option.



I've been using that feature for some time in both Netscape and
Mozilla and felt somewhat comfortable until a couple days ago.
Then my computer showed up in an IDP report accessing a web
site trying an IE exploit. I backtracked through my messages
and found a piece of SPAM that caused my Mozilla client to access
the web site every time the message was displayed.

The message contained:
<object-disabled data=3D"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#=
119;&#119;&#119;&#46;&#102;&#97;&#116;&#98;&#111;&#110;&#117;&#115;&#99;&#=
97;&#115;&#105;&#110;&#111;&#46;&#99;&#111;&#109;&#47;&#112;&#97;&#103;&#1=
01;&#46;&#112;&#104;&#112;">

without the "-disabled" in the object tag

Its just an encoded URL but my Mozilla client followed
it immediately when the message was displayed. Sigh.
More disillusionment. :)

I don't see a setting specifically disabling HTML mail
rendering of received messages in mozilla, which, I guess
would have prevented it.


Gary,

Wow, nice find! It looks like the Mozilla engineers took some
programming tips from the folks at Redmond with that bug.

<rant>
When will people realize that filtering the bad just doesn't work? You
need to define what to allow, and allow only that. Otherwise, someone
will find a way around your filter.
</rant> (sorry, I'm on a roll I guess)

Sigh. Perhaps I'll go back to using Outlook Express 6 at work (gasp!).
At least it lets me display all E-mail as plain text. Or I can read all
of my E-mail in Pine on a FreeBSD box....

Thanks much for reporting that. That certainly changes things.

Brian
(feeling at least remotely comfortable still, as at least his default
browser is not IE)

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"Friends don't send friends HTML E-mail"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

E-mail Privacy Javier Torner (May 25)
- <Possible follow-ups>
- Re: E-mail Privacy Herrera Reyna Omar (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Gary Flynn (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Dan Oachs (May 25)