Re: [fw-wiz] HTML Emails and Firewall Security

• Previous message: John Keeton: "Re: [fw-wiz] OT: Av and Gartner..."
• In reply to: Gary Flynn: "Re: [fw-wiz] HTML Emails and Firewall Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Gary Flynn <flynngn@jmu.edu>
Date: Thu, 31 Jul 2003 08:39:51 -0400 (EDT)

On Thu, 31 Jul 2003, Gary Flynn wrote:

> Consider if your email to the list was HTML and contained a link to
> an image. When read with Microsoft's clients, web clients, and Navigator
> in certain configurations, my computer would go fetch the link and
> give you my IP address even if I don't reply to your e-mail. If I
> forward the message, you'll have a trail of who I forwarded it too.
> Nice recon tool in unNATed environments if you're looking for the
> desktop IP addresses used by specific individuals or roles.

It used to be worse than that- the server used to be able to get the
client to attempt to send domain authentication information. I think
this was fixed a while back though.

> That said, we have no plans to ban HTML email.

As for desktop IPs, Outlook Express hands them out, if exposing IPs is a
significant issue, then you've likely got bigger problems. At my last
employer, we had two routable /16's internally- I wasn't all that
concerned about IP address "leakage."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: John Keeton: "Re: [fw-wiz] OT: Av and Gartner..."
• In reply to: Gary Flynn: "Re: [fw-wiz] HTML Emails and Firewall Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]