Re[2]: HTML email "bug", of sorts.

From: Walter Hop (walter@binity.com)
Date: 08/20/01


Date: Mon, 20 Aug 2001 11:26:02 +0200
From: Walter Hop <walter@binity.com>
Message-ID: <955188180.20010820112602@binity.com>
To: bugtraq@securityfocus.com
Subject: Re[2]: HTML email "bug", of sorts.


> 1) how do you determine what's legitimate HTML email and what isn't? Can
> pattern-matching of web bugs be as easy as "*.gif\?.*" or something
> similar?

This is ineffective; a spammer _could_ use a CGI script in the form of
http://www.spammer.com/transparent.gif?4747683621, but if these get
blocked by a popular mailer, they will just move on to other schemes,
like:

http://www.spammer.com/validate/4747683621.html
http://www.spammer.com/validate/4747683621/
http://4747683621.spammer.com/
http://4747683621.spammer.com:25/

This will make filtering of HTML content useless. Furthermore, the html
IMG tag is not the only "dangerous" tag in this aspect. There are many
more other tags to filter, which would require considerable effort on
the part of mailer developers. [The usual scenario for this is that even
years later, holes will be found.]

Some mailers like "The Bat" have their own HTML engine that refuses to
do HTTP requests at all. This seems the best solution.

Disabling HTTP requests totally will certainly break some legitimate
HTML email, but not to the point where it is totally unreadable. Most
HTML emails (stationery etc.) only refer to images enclosed with the
message, so Your Client who likes to write emails with nice green leaves
in the borders will not be disappointed by this feature.

For other HTML mailers like Outlook and Netscape, an application-level
firewall (PGP Corporate Desktop, ZoneAlarm, etc.) is the only way to go.
The best thing is not to allow the mailer any access to the network
apart from the mail protocol ports on known pop3/imap/smtp-servers used.
As shown in example URL 4 above, just blocking access to port 80 or any
non-mail port provides only a false sense of security.

--
 Walter Hop <walter@binity.com> | +31 6 24290808 | Finger for public key



Relevant Pages

  • Re: Cruise ship on the seas of time
    ... subject-line strings and 56 whitelisted organization-line strings. ... but it's been long enough that I really don't recall the reason. ... For a while I was deleting all HTML email. ... Then you need to get a REAL mailer! ...
    (rec.arts.sf.written)
  • Re: How do I convert :) to a smiley in my e-mails?
    ... Unless your mailer will do it on its own, ... I guess, if you wanted to, and you're using HTML email, you could drop a smiley image in there... ... laws wrote: ...
    (microsoft.public.outlook)
  • Re: Per application TCP/IP traffic filtering in Linux (sort of personal firewall)
    ... > OK, here is the scenario. ... > How can I configure Linux to enable port 80 for incoming/outgoing ... When I receive an HTML email, ... In cases where you receive a message for which you have blocked images by ...
    (comp.os.linux.security)
  • Re: Need to monitor HTTP traffic
    ... >> port, including listing it? ... i dont think that shows the http headers .. ... - html email should be banned from earth .. ...
    (Debian-User)