RE: Email webbugs
From: abuse (postmaster@getinfo.org)Date: 08/27/01
- Previous message: Scott Strehlow: "Re: Email webbugs"
- In reply to: Scott Strehlow: "Re: Email webbugs"
- Next in thread: Scott Grundeen Strehlow: "RE: Email webbugs"
- Next in thread: EPiC: "Re: MS IIS Lockdown tool"
- Reply: Scott Grundeen Strehlow: "RE: Email webbugs"
- Reply: Tracy Martin: "RE: Email webbugs"
- Reply: CHSPR Security: "RE: Email webbugs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "abuse" <postmaster@getinfo.org> To: "Scott Strehlow" <strehlow@usermail.com> Subject: RE: Email webbugs Date: Mon, 27 Aug 2001 12:00:06 -0400 Message-ID: <NABBJLKKPKIHDIMKFKGCAEJLOOAB.postmaster@getinfo.org>
Yes I realize all this, I even realize that sometimes it can save bandwidth
by having the image reside on a server instead of sending it attached to the
email.
None of that addresses the point which is that outlook and outlook express
can not be set to avoid the exploit.
An email program should not be allowing someone to send me an email and
simply by my viewing the email learn my IP address, my ISP, the time I read
the email, my OS type, my browser type, or be allowed to set a cookie on my
machine. all of which can easily be done with the exploit.
Usually when you have an email address you have a name with that address.
How about I do a mailing to you, and set a cookie which identifies you by
name, then all I have to do is check for that cookie when people visit my
website and presto I have you by name not just as an anonymous browser.
There are so may ways in which to abuse this feature that I can't believe
outlook express doesn't have a security setting to avoid being exploited
like this. Do you have any idea how many people use outlook express? I mean
spammers are doing this on a daily basis (I used a real spam) and nobody
seems to have a problem with it?
Geo.
> -----Original Message-----
> From: Scott Strehlow [mailto:strehlow@usermail.com]
> Sent: Monday, August 27, 2001 11:45 AM
> To: abuse; Focus-MS
> Subject: Re: Email webbugs
>
>
> Geo, et. al.
>
> Unfortunately, any image URL in an e-mail message can be used as a
> bug. Hiding it is really only relevant if there is no contextual reason
> for an image to be in the message.
> Any e-mail client that will display the HTML will send the bug
> information,
> since it is the actual image file URL that carries the identity
> information.
> I've created Eudora rules that look for image tags with height
> and width =
> 1, which change the label property of the message to red. Any messages
> with any image tag get colored orange. Of course this is not foolproof,
> but it does give me a heads up that a message could possibly be "bugged"
> and so I won't open it if I am not sure I want to. I can always look at
> the mailbox file with Notepad to read the message without the images.
>
> Scott
>
>
> At 07:12 AM 8/27/2001, abuse wrote:
> >One of the things that has always bothered me about Outlook Express and
> >Outlook is that they are susceptable to webbugs. Basically there are no
> >options to block confirmation of your reading an email so any spammer can
> >verify that your address is active as long as they can get you
> to just view
> >an email.
>
- Previous message: Scott Strehlow: "Re: Email webbugs"
- In reply to: Scott Strehlow: "Re: Email webbugs"
- Next in thread: Scott Grundeen Strehlow: "RE: Email webbugs"
- Next in thread: EPiC: "Re: MS IIS Lockdown tool"
- Reply: Scott Grundeen Strehlow: "RE: Email webbugs"
- Reply: Tracy Martin: "RE: Email webbugs"
- Reply: CHSPR Security: "RE: Email webbugs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
