[Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?

Date: 11/03/04

  • Next message: Peter Besenbruch: "Re: [Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 03 Nov 2004 02:28:30 +0100

    This might be a minor problem in times of e-mail-collecting viruses and
    massive hijacking of SOHO-PCs. Still I wonder what you think
    about this:

    Mozilla Mail 1.7.1 (W98) and 1.7.3 (W98) (didn't check different
    versions) automatically load CSS-files which are linked from within an
    html-page sent in an e-mail, even though plug-ins and loading of images
    in e-mails are turned off. Of course, this only happenes, when you click
    the mail and when HTML-Mails are enabled. Mozilla tries to display the
    page and loads the CSS.

    I think you all know, how this enables spammers to use HTTP-requests for
    CSS-files to check the validity of e-mails-addresses: Instead of
    embedding an image with an identification code assigned to the
    receipients e-mail-address in the address or as a parameter to the
    request, they can now embed an external style sheet definition in
    HTML-code with the same "functionality". Analyzing the requests on the
    server will show the codes corresponding to valid e-mail-addresses.

    I used the "send page"-function of the Mozilla browser to to send a page
    to my own e-mail-account. When I click the e-mail, ethereal shows the
    HTTP-GET www.myserver.com/css/standard.css .

    How dangerous is this? What about possible CSS-exploits?

    Workaround suggestions ;-)

    - Cut your internet connection before reading any suspicious e-mails,
    you can probably live without the CSS.
    - turn off HTML in E-Mails (not possible in Mozilla?)


    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Peter Besenbruch: "Re: [Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?"

    Relevant Pages

    • OT - Dingbats take on Govt Waste and "Transparency"
      ... Quest for Palin e-mails may exceed her time in office ... the request filed by msnbc.com and other news ... Todd Palin (either from their government or private Yahoo ... After adverse publicity, the governor's office backed down, agreeing ...
    • Re: Email clients
      ... e-mails his firm received from tour operators. ... Then a request for no PDFs, because they "take an age to ... bit where he named his preferred text editors as - I kid you ... not) MSWord and Excel. ...
    • Texas retains governors office e-mails for only seven days -- until a Wisconsin computer
      ... AUSTIN - To hear the governor's office tell it, John Washburn is a guy ... office automatically destroys virtually all of its e-mails every seven ... Press secretary Robert Black conceded that the request is prompting ... inner workings of government. ...
    • Re: Republican Texas DA under fire over sexual, racist e-mails
      ... Harris County District Attorney Chuck Rosenthal, ... The e-mails also show Rosenthal, 61, used his e-mail account to ... e-mails last month after a request by Houston television station KHOU. ...
    • Re: Sending Automatic Read Receipts
      ... Since the header for the read receipt request inserted by the sender ... e-mails, and since that header will be absent in e-mails that you ... try to read those to see what commands were specified, ...