[22305] in bugtraq
RE: HTML email "bug", of sorts.
daemon@ATHENA.MIT.EDU (Russell Garrett)
Sun Aug 19 13:06:14 2001
From: "Russell Garrett" <rg@tcslon.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 19 Aug 2001 09:30:47 +0100
Message-ID: <NDBBLDHKLKMANPGMACIGGEOECKAA.rg@tcslon.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.LNX.4.21.0108180605310.15817-100000@wakko.bitey.net>
> <img
> src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued)
> 3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakko@bitey.net"
> width="1" height="1">
Ok, this has me scared now....
> So, anyone have any idea of how to deal with this latest
> little spammer
> toy? Is there any effective way to filter out web bugs
> without adversely
> affecting the delivery intact of legitimate messages?
> Could software
> change to at least warn viewers that this HTML viewer is
> accessing offsite
> content? Is it worth doing?
Well, the problem that many people will have with these sorts
of e-mails is known in the trade as Microsoft Outlook. What
really scares me is that *simply clicking* on such an e-mail
in Outlook, loading it up in the AutoPreview page, which many
people regard as "safe" (scripts aren't allowed to run in it),
will cause the bug to be loaded and your address to be verified.
The most scary bit is that I don't think there is any way to
disable remotely-loaded images in Outlook. True, you can choose
which Internet Explorer Security Zone recieved messages fit into,
but I don't think that even the "Restricted Sites" zone disables
off-site image loading (I'll have to check on that one, the help
isn't very clear).
So, where does that leave a user? In Outlook, you can't tell if
an e-mail is HTML without viewing it in the preview pane, in
which case you've already confirmed your existence to spammers.
You can't report the spam using such services as SpamCop unless
you actually open the e-mail to get the source. Now you're
gambling. Staring at this spam, betting as to whether it's html
or text. But to *delete* the thing immediately, you need to
select it, and in selecting it, you are loading it into the
preview pane.
I've turned off my preview pane to start with. And I think a
script which warns you of (or preferably deletes) HTML e-mails
before they are loaded needs developing.
Cheers,
Russ Garrett (rg@tcslon.com)
