[22320] in bugtraq
Re: Web "bug" workarounds
daemon@ATHENA.MIT.EDU (Glynn Clements)
Sun Aug 19 23:34:01 2001
From: Glynn Clements <glynn.clements@virgin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15232.32722.999867.177781@cerise.nosuchdomain.co.uk>
Date: Mon, 20 Aug 2001 04:11:14 +0100
To: Brian Ballsun-Stanton <brian@ballsun.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <3B80534E.3000303@ballsun.com>
Brian Ballsun-Stanton wrote:
> I just read a message suggestiong Zone Alarm, I've got a slightly more
> elegant solution. My personal firewall (Atguard) can filter ports by
> program. Simply set a rule up that denies all ports save 80 from msinn
> (or your e-mail client) this should solve the problem.
Given that the problem is that the email is directing the client to
connect to a web server running on port 80, this definitely will not
solve the problem.
> Slightly more
> specific, and stops things sending e-mail that you don't know about.
The issue here isn't about sending email. The issue is that, with
certain mail clients, simply "viewing" an email message can result in
the client issuing HTTP requests without any confirmation from the
user.
--
Glynn Clements <glynn.clements@virgin.net>
