North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

OT: Secret email?!

  • From: Joe Blanchard
  • Date: Thu Nov 29 20:07:46 2001

Title: OT: Secret email?!

Greetings all

I know this might have been brought up before so please disregard if
 so. Thought it might be of interest to some.

        While looking for ways to indicate that nimda/codered ect was
pushed to a client within my network, I tripped across something
completely unrelated, but interesting.

It seems these email clients that utilize html formating also
send out information unknowingly. I know nothing new, but heres
the senario. A spam email arrives, client opens/previews the email
and its pretty gifs/jpgs ect, while at the bottom a link is retrieving
what looks like a logo. Example:

<a href="""><img src="javascript:void(0);">[email protected]&msgid=281101000" width="109" height="16" border="0" alt=""></a>

What it does in fact is send information to a host
(from the firewall's view):
12:54:01: %PIX-5-304001: Accessed URL

(from the host's view):
GET /counter.php?client=newhorizons&[email protected]&msgid=281101000 HTTP/1.1

which in turn (I suppose) places my email address into a database thats used
for spaming. i.e. verifying that my email address is valid. While watching
for this behavior, I saw about 10 other nodes/users do this, none of which
knew the information had been sent out. Kind of sneaky if you ask me.