Firewall Wizards mailing list archives
Re: HTML Emails and Firewall Security
From: Paul Robertson <proberts () patriot net>
Date: Thu, 31 Jul 2003 08:39:51 -0400 (EDT)
On Thu, 31 Jul 2003, Gary Flynn wrote:
Consider if your email to the list was HTML and contained a link to an image. When read with Microsoft's clients, web clients, and Navigator in certain configurations, my computer would go fetch the link and give you my IP address even if I don't reply to your e-mail. If I forward the message, you'll have a trail of who I forwarded it too. Nice recon tool in unNATed environments if you're looking for the desktop IP addresses used by specific individuals or roles.
It used to be worse than that- the server used to be able to get the client to attempt to send domain authentication information. I think this was fixed a while back though.
That said, we have no plans to ban HTML email.
As for desktop IPs, Outlook Express hands them out, if exposing IPs is a significant issue, then you've likely got bigger problems. At my last employer, we had two routable /16's internally- I wasn't all that concerned about IP address "leakage." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- HTML Emails and Firewall Security Ron Suarez (Jul 30)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)
- Re: HTML Emails and Firewall Security Bill Royds (Jul 31)
- Re: HTML Emails and Firewall Security Gary Flynn (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)