Re: Email webbugs

From: edgar.mendez@delphiauto.com
Date: 08/27/01

• Previous message: Tracy Martin: "RE: Email webbugs"
• Maybe in reply to: abuse: "Email webbugs"
• Next in thread: EPiC: "Re: MS IIS Lockdown tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: edgar.mendez@delphiauto.com
To: "Focus-MS" <focus-ms@securityfocus.com>, "VULN-DEV@SECURITYFOCUS. COM" <VULN-DEV@securityfocus.com>, "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>, win2ksecadvice@LISTSERV.NTSECURITY.NET
Message-ID: <05256AB5.00609239.00@notes.delphiauto.com>
Date: Mon, 27 Aug 2001 11:29:00 -0600
Subject: Re: Email webbugs

I always assumed web based email clients (i.e. Hotmail, Yahoo, etc) were more
prone to these webbugs, but not all web based email clients are created equal.
I used my Visto.com (no plug intended) account to receive the web bug, when
logging in I used the "secure login" (SSL) option. I viewed the webbug message
and the browser immediately alerted me that there where "unsecured" items in the
message and asked if they should be displayed, I answered no, and sure enough
there was the email message with the incriminating webbug blanked out.

It's amazing that using this FREE email account proved to be more secure than
using other commercial email clients.

Edgar Mendez.

"abuse" <postmaster@getinfo.org> on 08/27/2001 06:12:30 AM

To: "Focus-MS" <focus-ms@securityfocus.com>
cc: "VULN-DEV@SECURITYFOCUS. COM" <VULN-DEV@securityfocus.com>,
      "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>,
      win2ksecadvice@LISTSERV.NTSECURITY.NET (bcc: Edgar Mendez)

Subject: Email webbugs

One of the things that has always bothered me about Outlook Express and
Outlook is that they are susceptable to webbugs. Basically there are no
options to block confirmation of your reading an email so any spammer can
verify that your address is active as long as they can get you to just view
an email.

A lot of people have difficulty understanding exactly what this means so I
set up a demonstration page at http://www.nthelp.com/OEtest/oe.htm in an
attempt to raise awareness of this nonsense and get MS to do something about
it. I don't know if other email programs like Eudora and Netscape are
vulnerable to email webbugs so if anyone tests those please let me know the
results.

Anyway, I've made the test site available to the public now so if you want
to check your email reader, feel free.

Geo.

---

• Previous message: Tracy Martin: "RE: Email webbugs"
• Maybe in reply to: abuse: "Email webbugs"
• Next in thread: EPiC: "Re: MS IIS Lockdown tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)