nanog mailing list archives
Re: OT: Secret email?!
From: "Steven M. Bellovin" <smb () research att com>
Date: Thu, 29 Nov 2001 20:18:37 -0500
In message <E9BBE0941932D511934C0002A52CDB4E0127F6B2 () sj-exchange wyse com>, Joe Blanchard writes:
Greetings all I know this might have been brought up before so please disregard if so. Thought it might be of interest to some. While looking for ways to indicate that nimda/codered ect was pushed to a client within my network, I tripped across something completely unrelated, but interesting. It seems these email clients that utilize html formating also send out information unknowingly. I know nothing new, but heres the senario. A spam email arrives, client opens/previews the email and its pretty gifs/jpgs ect, while at the bottom a link is retrieving what looks like a logo. Example: <a href="http://www.em5000.com"><img src="http://www.em5000.com/counter.php?client=newhorizons&email=myemail@addy .com&msgid=281101000" width="109" height="16" border="0" alt="em5000.com"></a> What it does in fact is send information to a host (from the firewall's view):12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL 66.77.58.92:/counter.php?client=newhorizons&email=myemail () domain com&msgid =281101000(from the host's view): GET /counter.php?client=newhorizons&email=myemail () domain com&msgid=281101000 HTTP/1.1 which in turn (I suppose) places my email address into a database thats used for spaming. i.e. verifying that my email address is valid. While watching for this behavior, I saw about 10 other nodes/users do this, none of which knew the information had been sent out. Kind of sneaky if you ask me.
Yup -- that's why I turn off images on those rare occasions that I bother to read html email. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
Current thread:
- OT: Secret email?! Joe Blanchard (Nov 29)
- Re: OT: Secret email?! mike harrison (Nov 29)
- <Possible follow-ups>
- Re: OT: Secret email?! Steven M. Bellovin (Nov 29)