RE: Email webbugs

From: Tracy Martin (tracy@arisiasoft.com)
Date: 08/27/01 

From: "Tracy Martin" <tracy@arisiasoft.com>
To: <focus-ms@securityfocus.com>
Subject: RE: Email webbugs
Date: Mon, 27 Aug 2001 13:17:22 -0400
Message-ID: <HAELKPKBDOEDHAFLOBLCEEPACAAA.tracy@arisiasoft.com>

> None of that addresses the point which is that outlook and
> outlook express can not be set to avoid the exploit.

Um... I'd have to argue that. Outlook and Outlook Express cannot be set to
*automatically* avoid the exploit - but there are ways to do it manually,
such as the one I use:

Set up a rule/filter to send any HTML or mixed mode messages to a special
folder. Temporarily disconnect from the Internet (either by actually
disconnecting or by playing with the Gateway setting for TCP/IP so it can't
find it's way out), then read the messages. Since Outlook/OE can't find the
Internet, it can't send the requests, and nothing gets logged.

Granted, it's not an ideal solution - and it would make a lot more sense to
have a flag in Outlook/OE that says "Do not retrieve images in HTML mail if
they are outside the local Intranet" - but until Microsoft pulls that bug
out of their *** that makes them think they know better than their users
what the requirements are, it's better than nothing.

Tracy

> -----Original Message-----
> From: abuse [mailto:postmaster@getinfo.org]
> Sent: Monday, August 27, 2001 12:00
> To: Scott Strehlow
> Cc: Focus-MS
> Subject: RE: Email webbugs
>
>
> Yes I realize all this, I even realize that sometimes it can save
> bandwidth
> by having the image reside on a server instead of sending it
> attached to the
> email.
>
> None of that addresses the point which is that outlook and outlook express
> can not be set to avoid the exploit.
>
> An email program should not be allowing someone to send me an email and
> simply by my viewing the email learn my IP address, my ISP, the
> time I read
> the email, my OS type, my browser type, or be allowed to set a
> cookie on my
> machine. all of which can easily be done with the exploit.
>
>
> Usually when you have an email address you have a name with that address.
> How about I do a mailing to you, and set a cookie which identifies you by
> name, then all I have to do is check for that cookie when people visit my
> website and presto I have you by name not just as an anonymous browser.
>
> There are so may ways in which to abuse this feature that I can't believe
> outlook express doesn't have a security setting to avoid being exploited
> like this. Do you have any idea how many people use outlook
> express? I mean
> spammers are doing this on a daily basis (I used a real spam) and nobody
> seems to have a problem with it?
>
> Geo.
>
> > -----Original Message-----
> > From: Scott Strehlow [mailto:strehlow@usermail.com]
> > Sent: Monday, August 27, 2001 11:45 AM
> > To: abuse; Focus-MS
> > Subject: Re: Email webbugs
> >
> >
> > Geo, et. al.
> >
> > Unfortunately, any image URL in an e-mail message can be used as a
> > bug. Hiding it is really only relevant if there is no contextual reason
> > for an image to be in the message.
> > Any e-mail client that will display the HTML will send the bug
> > information,
> > since it is the actual image file URL that carries the identity
> > information.
> > I've created Eudora rules that look for image tags with height
> > and width =
> > 1, which change the label property of the message to red. Any messages
> > with any image tag get colored orange. Of course this is not foolproof,
> > but it does give me a heads up that a message could possibly be "bugged"
> > and so I won't open it if I am not sure I want to. I can always look at
> > the mailbox file with Notepad to read the message without the images.
> >
> > Scott
> >
> >
> > At 07:12 AM 8/27/2001, abuse wrote:
> > >One of the things that has always bothered me about Outlook Express and
> > >Outlook is that they are susceptable to webbugs. Basically there are no
> > >options to block confirmation of your reading an email so any
> spammer can
> > >verify that your address is active as long as they can get you
> > to just view
> > >an email.
> >
>

Quantcast