OT: Secret email?!

Joe Blanchard jblanchard at wyse.com
Fri Nov 30 01:01:28 UTC 2001


Greetings all

I know this might have been brought up before so please disregard if
 so. Thought it might be of interest to some.

	While looking for ways to indicate that nimda/codered ect was 
pushed to a client within my network, I tripped across something 
completely unrelated, but interesting. 

It seems these email clients that utilize html formating also 
send out information unknowingly. I know nothing new, but heres 
the senario. A spam email arrives, client opens/previews the email 
and its pretty gifs/jpgs ect, while at the bottom a link is retrieving 
what looks like a logo. Example:

<a href="http://www.em5000.com"><img
src="http://www.em5000.com/counter.php?client=newhorizons&[email protected]
.com&msgid=281101000" width="109" height="16" border="0"
alt="em5000.com"></a>

What it does in fact is send information to a host 
(from the firewall's view):
> 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL
> 66.77.58.92:/counter.php?client=newhorizons&email=myemail at domain.com&msgid
> =281101000 
> 
(from the host's view):
GET /counter.php?client=newhorizons&email=myemail at domain.com&msgid=281101000
HTTP/1.1

which in turn (I suppose) places my email address into a database thats used

for spaming. i.e. verifying that my email address is valid. While watching 
for this behavior, I saw about 10 other nodes/users do this, none of which 
knew the information had been sent out. Kind of sneaky if you ask me.


Cheers
-Joe


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20011129/ef1656a5/attachment.html>


More information about the NANOG mailing list