Re: [Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?

From: Daniel Veditz (dveditz_at_cruzio.com)
Date: 11/04/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:124 - Updated xorg-x11 packages fix libXpm overflow vulnerabilities"
    To: plonk@datenritter.de
    Date: Thu, 04 Nov 2004 11:53:42 -0800
    
    

    plonk@datenritter.de wrote:
    > I think you all know, how this enables spammers to use HTTP-requests for
    > CSS-files to check the validity of e-mails-addresses: Instead of
    > embedding an image with an identification code assigned to the
    > receipients e-mail-address in the address or as a parameter to the
    > request, they can now embed an external style sheet definition in
    > HTML-code with the same "functionality". Analyzing the requests on the
    > server will show the codes corresponding to valid e-mail-addresses.

    Services like Readnotify are already using techniques like this. Currently
    the use of <iframe> is popular, for example.

    Thunderbird 0.9 (just released) should block all the cases we know about
    including CSS stylesheets and frames. In the Mozilla Suite the workaround is
    to view messages as Simple HTML or Plain Text.

    -Dan Veditz

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:124 - Updated xorg-x11 packages fix libXpm overflow vulnerabilities"