Full Disclosure mailing list archives

Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers?

From: Daniel Veditz <dveditz () cruzio com>
Date: Thu, 04 Nov 2004 11:53:42 -0800

plonk () datenritter de wrote:

I think you all know, how this enables spammers to use HTTP-requests for
CSS-files to check the validity of e-mails-addresses: Instead of
embedding an image with an identification code assigned to the
receipients e-mail-address in the address or as a parameter to the
request, they can now embed an external style sheet definition in
HTML-code with the same "functionality". Analyzing the requests on the
server will show the codes corresponding to valid e-mail-addresses.


Services like Readnotify are already using techniques like this. Currently
the use of <iframe> is popular, for example.

Thunderbird 0.9 (just released) should block all the cases we know about
including CSS stylesheets and frames. In the Mozilla Suite the workaround is
to view messages as Simple HTML or Plain Text.

-Dan Veditz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

CSS in E-Mails possible E-Mail-Validity Check for Spammers? plonk (Nov 02)
- Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Peter Besenbruch (Nov 03)
- Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Andrew Clover (Nov 03)
  - Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Raoul Nakhmanson-Kulish (Nov 03)
- Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Heikki Toivonen (Nov 03)
- Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Martin Thielecke (Nov 04)
- Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers? Daniel Veditz (Nov 04)