Hi Bugtraq, I've been following this particular thread with a great deal of interest as it directly relates to my present academic course work. Although the focus of the debate thus far has been centered around spam, I think there is a greater ethical dilemma posed by this "bug". I never took the time to look through the HTML code of e-mails that I normally receive and have subscribed to, but this thread opened my eyes. I was very surprised to see an img src tag with an invisible hyperlinked gif at the bottom of *every* HTML e-mail I've received. Keep in mind these are "legitimate e-mails" received from news subscriptions; a result of shopping online and filing a profile; and registering software. Here are some highlights: _____=====***=====_____ The New York Times on the Web Headlines newsletter that just recently went to HTML format: <IMG SRC="http://images2.nytimes.com/RealMedia/ads/adstream_nx.cgi/email.ny times.com/todaysheadlines/html@Bottom1"> </BODY> </HTML> ***Privacy policy at http://www.nytimes.com/info/help/privacy.html does a fairly decent job of explaining that they use RealMedia as an advertising server. I would presume that is what this link is for. _____=====***=====_____ Staples.com at the bottom of their HTML ads sent to all online shoppers: <img src="http://od.ed10.net/od/V6P3/H08/EK5O6F">[[V6P3-H08-EK5O6F-H]]27689 0</body> </html> ***Privacy policy at http://www.staples.com/help/default.asp?area=privacy doesn't say anything about why they are collecting information from the e-mails they send out, or how it's being used. At least Staples has the decency to put some text at the bottom after the tag so that you know where it is. _____=====***=====_____ The Learning Company Family Focus Newsletter (a.k.a. advertisement) resulting from product registration: <img src="http://info.learningco.com/images/blankpixel.gif/Key=9562.Ftzu.DzF2lN"> </HTML> ***Privacy policy at http://www.learningco.com/Info.asp?Info=1805 doesn't say anything about why they are collecting information from the e-mails they send out, or how it's being used. I like the name of the gif -- it says it all! _____=====***=====_____ <!-- on soap box --> The point is that this coding technique is being widely used to harvest information from subscribers probably for demographic or similar purposes -- it depends upon the source. The problem is that companies aren't telling their customers/subscribers in a direct manner that they are doing this. One must first know and understand the technology, then go and seek out a privacy policy, and maybe -- just maybe -- find an answer. More often than not, the privacy policy is buried in the middle of a lengthy legal statement for COPPA compliance to keep the EPIC and the ACLU off their backs. If companies are going to use this technique for "legitimate" purposes (very loosely defined), they should be upfront about it and let their customers know. If someone/some company is going to track my shopping habits and datamine my e-mail, I would appreciate the courtesy of them letting me know that they're digging into my private life before they do. This much can be done, and should be done. <!-- /off soap box --> There... I feel better. Venting complete. Jeffrey W. Dronenburg, Sr. MIS Major, Univ. of Maryland, Univ. College Alpha Sigma Lambda -----Original Message----- From: Alex Prestin [mailto:wakkoat_private] Sent: Saturday, August 18, 2001 3:17 AM To: bugtraqat_private Subject: HTML email "bug", of sorts. I'm not sure this is the proper forum for "conspiracy-theory" bugs, but I figured this would be of interest to anyone trying to prevent the names of valid email accounts they either own or administer from being verified and added to "official" known-good spam rosters. You may have heard of "web-bugs" before. Or you may not have. For the benefit of the less-experienced, here's what they are and what they do: "Web bugs" are small, 1x1 (or similar-sized) transparent GIF images which can be used to track the movement of a user around the web. About 1 in 10 sites use them. Their effectiveness at this task is somewhat questionable, but they can be used more effectively for a different task: I've started noticing something very disturbing in the HTML in spam mails recently. I've started seeing web bugs. Below is an example from a recent email: <img src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued) 3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakkoat_private" width="1" height="1"> See it? A web bug. If I opened this mail in an HTML-capable browser, that little image would've popped up and I would've been none the wiser. My address would also have been verified by the sender, and stored in a large database of valid recipients. So, anyone have any idea of how to deal with this latest little spammer toy? Is there any effective way to filter out web bugs without adversely affecting the delivery intact of legitimate messages? Could software change to at least warn viewers that this HTML viewer is accessing offsite content? Is it worth doing? Anyone? Bueller? - A.P.
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 11:02:42 PDT