North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: OT: Secret email?!
In message <[email protected]>, Joe Blanchard writes: > >Greetings all > >I know this might have been brought up before so please disregard if > so. Thought it might be of interest to some. > > While looking for ways to indicate that nimda/codered ect was >pushed to a client within my network, I tripped across something >completely unrelated, but interesting. > >It seems these email clients that utilize html formating also >send out information unknowingly. I know nothing new, but heres >the senario. A spam email arrives, client opens/previews the email >and its pretty gifs/jpgs ect, while at the bottom a link is retrieving >what looks like a logo. Example: > ><a href="http://www.em5000.com"><img >src="http://www.em5000.com/counter.php?client=newhorizons&[email protected] >.com&msgid=281101000" width="109" height="16" border="0" >alt="em5000.com"></a> > >What it does in fact is send information to a host >(from the firewall's view): >> 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL >> 66.77.58.92:/counter.php?client=newhorizons&[email protected]&msgid >> =281101000 >> >(from the host's view): >GET /counter.php?client=newhorizons&[email protected]&msgid=281101000 >HTTP/1.1 > >which in turn (I suppose) places my email address into a database thats used > >for spaming. i.e. verifying that my email address is valid. While watching >for this behavior, I saw about 10 other nodes/users do this, none of which >knew the information had been sent out. Kind of sneaky if you ask me. Yup -- that's why I turn off images on those rare occasions that I bother to read html email. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
|