OT: Secret email?!
Steven M. Bellovin
smb at research.att.com
Fri Nov 30 01:18:37 UTC 2001
In message <E9BBE0941932D511934C0002A52CDB4E0127F6B2 at sj-exchange.wyse.com>, Joe
>I know this might have been brought up before so please disregard if
> so. Thought it might be of interest to some.
> While looking for ways to indicate that nimda/codered ect was
>pushed to a client within my network, I tripped across something
>completely unrelated, but interesting.
>It seems these email clients that utilize html formating also
>send out information unknowingly. I know nothing new, but heres
>the senario. A spam email arrives, client opens/previews the email
>and its pretty gifs/jpgs ect, while at the bottom a link is retrieving
>what looks like a logo. Example:
>.com&msgid=281101000" width="109" height="16" border="0"
>What it does in fact is send information to a host
>(from the firewall's view):
>> 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL
>> 18.104.22.168:/counter.php?client=newhorizons&email=myemail at domain.com&msgid
>(from the host's view):
>GET /counter.php?client=newhorizons&email=myemail at domain.com&msgid=281101000
>which in turn (I suppose) places my email address into a database thats used
>for spaming. i.e. verifying that my email address is valid. While watching
>for this behavior, I saw about 10 other nodes/users do this, none of which
>knew the information had been sent out. Kind of sneaky if you ask me.
Yup -- that's why I turn off images on those rare occasions that I
bother to read html email.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
More information about the NANOG