Re: OT: Secret email?!

["Steven M. Bellovin" <smb () research att com>]

In message <E9BBE0941932D511934C0002A52CDB4E0127F6B2 () sj-exchange wyse com>, Joe
 Blanchard writes:

> Greetings all
>
> I know this might have been brought up before so please disregard if
> so. Thought it might be of interest to some.
>
>       While looking for ways to indicate that nimda/codered ect was 
> pushed to a client within my network, I tripped across something 
> completely unrelated, but interesting. 
>
> It seems these email clients that utilize html formating also 
> send out information unknowingly. I know nothing new, but heres 
> the senario. A spam email arrives, client opens/previews the email 
> and its pretty gifs/jpgs ect, while at the bottom a link is retrieving 
> what looks like a logo. Example:
>
> <a href="http://www.em5000.com";><img
> src="http://www.em5000.com/counter.php?client=newhorizons&email=myemail@addy
> .com&msgid=281101000" width="109" height="16" border="0"
> alt="em5000.com"></a>
>
> What it does in fact is send information to a host 
> (from the firewall's view):
> > 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL
> > 66.77.58.92:/counter.php?client=newhorizons&email=myemail () domain com&msgid
> > =281101000 
> (from the host's view):
> GET /counter.php?client=newhorizons&email=myemail () domain com&msgid=281101000
> HTTP/1.1
>
> which in turn (I suppose) places my email address into a database thats used
>
> for spaming. i.e. verifying that my email address is valid. While watching 
> for this behavior, I saw about 10 other nodes/users do this, none of which 
> knew the information had been sent out. Kind of sneaky if you ask me.

Yup -- that's why I turn off images on those rare occasions that I 
bother to read html email.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com