RE: [Full-Disclosure] leaking

From: Alerta Redsegura (alerta_at_redsegura.com)
Date: 05/12/04

  • Next message: Farrukh Hussain: "[Full-Disclosure] Security Warning" 
    To: "Full-Disclosure" <full-disclosure@lists.netsys.com>
Date: Wed, 12 May 2004 12:46:52 -0500

    In the specific case we are talking about here:

    1. Somebody sends a message to the list from a web-based e-mail service.
    2. All messages sent from this web-based e-mail service have a banner.
    3. The banner is an "img" tag with an "a href" to click on it.
    4. The banner is not shown via "script" tags.
    5. Neither the sender nor the web-based e-mail service have the list e-mail
    addresses: the message is sent to the list address!

    Now, I repeat the question:

    How can the web-based email service in this particular case, gather email
    addresses from the members of this list via this banner?

    ------

    Aaron Peterson wrote:

    >You don't _collect_ email addresses (they obviously already have it if they
    >are sending you email with it, ;) But you can verify email addresses with
    >it.
    >
    >The easiest would be to put a hash or some other identifier of the users
    >email address in the url for the image, then have mod_rewrite rewrite the
    >url (or not, who cares... you just wanted to verify the email address was
    >good) to an actual image on your system, and log the embeded info and
    >compare to your known addresses.

    ------

    Jimmy Kuijpers wrote:

    >The beatch is probably collecting our addresses for spam.

    ------

    Iņigo Koch
    Red Segura

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Farrukh Hussain: "[Full-Disclosure] Security Warning"
    Loading