Re: [fw-wiz] msgtag read receipts

Hi, Ken--

On Oct 9, 2008, at 11:46 AM, Ken Fox wrote:
Has anyone got any rules for stopping from sending unauthorized
read receipts - I have been looking all over the place since I received a
message with one earlier today. Basically it embeds a picture in the message
that confirms being read by virtue of being accessed.

That's a FAIL. Anyone who uses ClamAV's MailFollowURLs option (or equivalent in other antivirus software) is going to have embedded links followed by a robot, which indicates nothing about whether a human has seen the message. Anyway, the first thing you should do is use a mail client which does not download URLs in email messages until and unless you tell it to do so-- such as Mozilla's Thunderbird among others.

I tried blocking the parent IP in my perimeter firewall but the image still renders, and the
website will as well.

What's a "parent IP"?

Probably the IP of the mailserver relaying the email is not the same thing as the hostname in the URL they embed in the email message; you need to block the latter and not the former. If you make a sample version of one of these messages available somewhere, it should be easy enough to identify the right thing to block.

Note that good network security practice would be to have a firewall which blocks most or all traffic to/from internal client machines, and requires them to go via a proxy like Squid or whatever in order to access the web. In which case, you'd make your changes to the proxy ruleset to block such traffic, which likely gives you finer-grained control than an IP-based firewall would.


firewall-wizards mailing list