[44492] in North American Network Operators' Group
OT: Secret email?!
daemon@ATHENA.MIT.EDU (Joe Blanchard)
Thu Nov 29 20:06:02 2001
Message-ID: <E9BBE0941932D511934C0002A52CDB4E0127F6B2@sj-exchange.wyse.com>
From: Joe Blanchard <jblanchard@wyse.com>
To: "'nanog@nanog.org'" <nanog@nanog.org>
Date: Thu, 29 Nov 2001 17:01:28 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C1793A.8AEC71A0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1793A.8AEC71A0
Content-Type: text/plain
Greetings all
I know this might have been brought up before so please disregard if
so. Thought it might be of interest to some.
While looking for ways to indicate that nimda/codered ect was
pushed to a client within my network, I tripped across something
completely unrelated, but interesting.
It seems these email clients that utilize html formating also
send out information unknowingly. I know nothing new, but heres
the senario. A spam email arrives, client opens/previews the email
and its pretty gifs/jpgs ect, while at the bottom a link is retrieving
what looks like a logo. Example:
<a href="http://www.em5000.com"><img
src="http://www.em5000.com/counter.php?client=newhorizons&email=myemail@addy
.com&msgid=281101000" width="109" height="16" border="0"
alt="em5000.com"></a>
What it does in fact is send information to a host
(from the firewall's view):
> 12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL
> 66.77.58.92:/counter.php?client=newhorizons&email=myemail@domain.com&msgid
> =281101000
>
(from the host's view):
GET /counter.php?client=newhorizons&email=myemail@domain.com&msgid=281101000
HTTP/1.1
which in turn (I suppose) places my email address into a database thats used
for spaming. i.e. verifying that my email address is valid. While watching
for this behavior, I saw about 10 other nodes/users do this, none of which
knew the information had been sent out. Kind of sneaky if you ask me.
Cheers
-Joe
------_=_NextPart_001_01C1793A.8AEC71A0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>OT: Secret email?!</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier">Greetings all</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier">I know this might have been brought =
up before so please disregard if</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier"> so. Thought it might be of =
interest to some.</FONT>
</P>
<P> <FONT SIZE=3D2 =
FACE=3D"Courier">While looking for ways to indicate that nimda/codered =
ect was </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">pushed to a client within my =
network, I tripped across something </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">completely unrelated, but =
interesting. </FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier">It seems these email clients that =
utilize html formating also </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">send out information unknowingly. I =
know nothing new, but heres </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">the senario. A spam email arrives, =
client opens/previews the email </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">and its pretty gifs/jpgs ect, while =
at the bottom a link is retrieving </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">what looks like a logo. =
Example:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier"><a href=3D"</FONT><U><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier"><A =
HREF=3D"http://www.em5000.com" =
TARGET=3D"_blank">http://www.em5000.com</A></FONT></U><FONT SIZE=3D2 =
FACE=3D"Courier">"><img src=3D"</FONT><U><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier"><A =
HREF=3D"http://www.em5000.com/counter.php?client=3Dnewhorizons&email=3Dm=
yemail@addy.com&msgid=3D281101000" =
TARGET=3D"_blank">http://www.em5000.com/counter.php?client=3Dnewhorizons=
&email=3Dmyemail@addy.com&msgid=3D281101000</A></FONT></U><FONT =
SIZE=3D2 FACE=3D"Courier">" width=3D"109" =
height=3D"16" border=3D"0" =
alt=3D"em5000.com"></a></FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Courier">What it does in fact is send =
information to a host </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">(from the firewall's view):</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">12:54:01: %PIX-5-304001:</FONT> =
<FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier">10</FONT><FONT =
SIZE=3D2 FACE=3D"Courier">.</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Courier">1</FONT><FONT SIZE=3D2 FACE=3D"Courier">.</FONT><FONT =
COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier">1</FONT><FONT SIZE=3D2 =
FACE=3D"Courier">.</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Courier">10</FONT><FONT SIZE=3D2 FACE=3D"Courier"> Accessed =
URL</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial"></FONT> <FONT =
SIZE=3D2 =
FACE=3D"Courier">66.77.58.92:/counter.php?client=3Dnewhorizons&email=
=3D</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Courier">myemail</FONT><FONT SIZE=3D2 =
FACE=3D"Courier">@</FONT><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Courier">domain.com</FONT><FONT SIZE=3D2 =
FACE=3D"Courier">&msgid=3D281101000</FONT><FONT SIZE=3D2 =
FACE=3D"Courier"> </FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Courier">(from the host's view):</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">GET =
/counter.php?client=3Dnewhorizons&email=3Dmyemail@domain.com&msg=
id=3D281101000 HTTP/1.1</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier">which in turn (I suppose) places my =
email address into a database thats used </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">for spaming. i.e. verifying that my =
email address is valid. While watching </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">for this behavior, I saw about 10 =
other nodes/users do this, none of which </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">knew the information had been sent =
out. Kind of sneaky if you ask me.</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier">Cheers</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier">-Joe</FONT>
</P>
<BR>
</BODY>
</HTML>
------_=_NextPart_001_01C1793A.8AEC71A0--
