OT: Secret email?!
Joe Blanchard
jblanchard at wyse.com
Fri Nov 30 01:01:28 UTC 2001
Greetings all
I know this might have been brought up before so please disregard if
so. Thought it might be of interest to some.
While looking for ways to indicate that nimda/codered ect was
pushed to a client within my network, I tripped across something
completely unrelated, but interesting.
It seems these email clients that utilize html formating also
send out information unknowingly. I know nothing new, but heres
the senario. A spam email arrives, client opens/previews the email
and its pretty gifs/jpgs ect, while at the bottom a link is retrieving
what looks like a logo. Example:
<a href="http://www.em5000.com"><img
src="http://www.em5000.com/counter.php?client=newhorizons&email=myemail@addy
.com&msgid=281101000" width="109" height="16" border="0"
alt="em5000.com"></a>
What it does in fact is send information to a host
(from the firewall's view):
> 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL
> 66.77.58.92:/counter.php?client=newhorizons&email=myemail at domain.com&msgid
> =281101000
>
(from the host's view):
GET /counter.php?client=newhorizons&email=myemail at domain.com&msgid=281101000
HTTP/1.1
which in turn (I suppose) places my email address into a database thats used
for spaming. i.e. verifying that my email address is valid. While watching
for this behavior, I saw about 10 other nodes/users do this, none of which
knew the information had been sent out. Kind of sneaky if you ask me.
Cheers
-Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20011129/ef1656a5/attachment.html>
More information about the NANOG
mailing list