Re: HTML Emails and Firewall Security

[Paul Robertson <proberts () patriot net>]

On Thu, 31 Jul 2003, Gary Flynn wrote:

> Consider if your email to the list was HTML and contained a link to
> an image. When read with Microsoft's clients, web clients, and Navigator
> in certain configurations, my computer would go fetch the link and
> give you my IP address even if I don't reply to your e-mail. If I
> forward the message, you'll have a trail of who I forwarded it too.
> Nice recon tool in unNATed environments if you're looking for the
> desktop IP addresses used by specific individuals or roles.

It used to be worse than that- the server used to be able to get the 
client to attempt to send domain authentication information.  I think 
this was fixed a while back though.


> That said, we have no plans to ban HTML email.

As for desktop IPs, Outlook Express hands them out, if exposing IPs is a 
significant issue, then you've likely got bigger problems.  At my last 
employer, we had two routable /16's internally- I wasn't all that 
concerned about IP address "leakage."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards