This past thread has been following the lines of how the img tag can be used to track a person's usage, or verify the existence of an email address. This is just an issue of privacy. Maybe it's obvious, but I'd like to point it out anyways. There exists more dangerous and malicious use of this hole. It would be possible for a person to send an email via some anonymous remailer to introduce a URL attack to the world. This essentially gets the receiver to execute the attack. Virus writers, like the one of code red, could have used something like this to remove the possibility that it could be traced back. All the ideas of filtering, and the use of different clients are good ideas. But in this real world, many people just use outlook because work requires it (me included). I think that is where a fix needs to implemented. I don't even see having an option to disable downloading of images as a good fix. People want to see the images their friends send. If by default we don't download, yet still leave an option so the user can 'double-click', we're still vulnerable to a bit of social engineering. There just doesn't seem to be a good compromise here. -----Original Message----- From: Alex Prestin [mailto:wakkoat_private] Sent: Saturday, August 18, 2001 3:17 AM To: bugtraqat_private Subject: HTML email "bug", of sorts. I'm not sure this is the proper forum for "conspiracy-theory" bugs, but I figured this would be of interest to anyone trying to prevent the names of valid email accounts they either own or administer from being verified and added to "official" known-good spam rosters. You may have heard of "web-bugs" before. Or you may not have. For the benefit of the less-experienced, here's what they are and what they do: "Web bugs" are small, 1x1 (or similar-sized) transparent GIF images which can be used to track the movement of a user around the web. About 1 in 10 sites use them. Their effectiveness at this task is somewhat questionable, but they can be used more effectively for a different task: I've started noticing something very disturbing in the HTML in spam mails recently. I've started seeing web bugs. Below is an example from a recent email: <img src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued) 3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakkoat_private" width="1" height="1"> See it? A web bug. If I opened this mail in an HTML-capable browser, that little image would've popped up and I would've been none the wiser. My address would also have been verified by the sender, and stored in a large database of valid recipients. So, anyone have any idea of how to deal with this latest little spammer toy? Is there any effective way to filter out web bugs without adversely affecting the delivery intact of legitimate messages? Could software change to at least warn viewers that this HTML viewer is accessing offsite content? Is it worth doing? Anyone? Bueller? - A.P.
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 20:39:27 PDT