Re: HTML email "bug", of sorts.

From: John Fitzgibbon (fitzat_private)
Date: Mon Aug 20 2001 - 20:55:29 PDT

Next message: Dave Ahmed: "*ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd)"

Previous message: Michael Faurot: "Re: Multiple-Vendor-FTP-Vuln. (old?)"
In reply to: Thorat_private: "Re: HTML email "bug", of sorts."
Next in thread: Ben Yu: "RE: HTML email "bug", of sorts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Under Outlook, this isn't possible.
...and...
> This is a kludge, and I know it is a kludge, ....
...and ...
>There just doesn't seem to be a good compromise here.

This is possible, (I'm using it right now)...
It's not a kludge, (in my book anyway)...
And it's a pretty decent compromise...
... and it has (at least one) nice side-effect :-)

1. Install cygwin, (freely available from redhat)

2. Create a shell script to port forward your mail:
#!/bin/sh
ssh -L 25:localhost:25 -L 110:localhost:110 mailxxx.xxx.domain

3. Create a batch file to call the script,
(for example, say it's my_mail_forwarder.sh):
@echo off
C:
chdir \cygwin\bin
bash --login my_mail_forwarder.sh

4. Create a shortcut to the batch file. Run it before you use mail to log on
to your mailserver with port forwarding, (use keys if you don't want to have
to type passwords).

5. Configure Outlook to pop/smtp off localhost,
(under Tools -> Accounts -> Properties)

At this point, you should be downloading your mail securely from your
mailserver, (this is the nice side-effect). But not done yet....

6. Install Zone Alarm.
(Free for personal use, $20 for biz -- you don't need the pro version.)

7. In ZA Control Center -> Security -> Advanced:
Add 127.0.0.1 to the local network, (not sure why it's not there by default)

8. When Outlook next tries to access "Local Network", (popping/sending mail
via the port forwarding ssh session), tell ZA to allow this traffic, (and
remember this setting). When it tries to access the "Internet", (for example
when you open a HTML email), tell ZA to block this traffic, (and remember
this setting).

At this point you are sorted. Outlook will happily render HTML emails in
readable format, but will be blocked from fetching images, (and other nasty
activity that it is prone to undertaking without your consent).

If you have multiple email accounts on different servers, port forward
other, (unused), local ports and configure the Outlook account's ports
appropriately, (Advanced tab in account settings).

Next message: Dave Ahmed: "*ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd)"
Previous message: Michael Faurot: "Re: Multiple-Vendor-FTP-Vuln. (old?)"
In reply to: Thorat_private: "Re: HTML email "bug", of sorts."
Next in thread: Ben Yu: "RE: HTML email "bug", of sorts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 21:18:22 PDT