On Mon, Aug 20, 2001 at 07:39:24PM -0500, Mark Tinberg wrote: > I think that Walter hinted at another scheme that hasn't yet been > explicitly mentioned. By making a request like the one below the spammer > can use their DNS server logs to track messages, even if all TCP access is > blocked by a personal firewall. Yep, nice point. > The answer, as stated below, is that any email client that does HTML mail > should be highly restricted on what tags it interprets (no "active" > content) and should not display anything that didn't come included with > the message. Possibly there should be a special DTD just for this > purpose. See RFC 2392, which describes how rich messages (like HTML) can refer to other objects included with the same multipart message. There may still be vulnerabilities if the attachment is hostile, especially if your rendering engine (I'm thinking about Internet Explod^Hrer here) ignores the MIME type specified in the message headers. But at least restricting the message to included content via RFC 2392 allows attractive messages with no web bug, Cross-Site Request Forgery, distributed URL DoS, or other wickedness. The ZoneAlarm-type tricks are neat; I assume those folks don't often use webmail applications like acmemail/suirrelmail/hotmail, where restricting the message to cid:/RFC 2392 references is about the only sane approach. -Peter
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 10:56:11 PDT