[22353] in bugtraq
Re: HTML email "bug", of sorts.
daemon@ATHENA.MIT.EDU (Sean Straw / PSE)
Tue Aug 21 12:18:00 2001
Message-Id: <5.1.0.14.2.20010820211227.07dfd010@mail.professional.org>
Date: Mon, 20 Aug 2001 21:20:55 -0700
To: bugtraq@securityfocus.com
From: PSE-L@mail.professional.org (Sean Straw / PSE)
In-Reply-To: <Pine.LNX.4.21.0108180605310.15817-100000@wakko.bitey.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 06:17 2001-08-18 -0400, Alex Prestin wrote:
>You may have heard of "web-bugs" before.
Never by that term, but what you're describing has been around for no less
than FIVE YEARS - almost as long as HTML-enabled email. The tracking
technique is certainly not new. I used to hear of them as
"dot-trackers". A search just now on "web bug" reveals that some people
are now calling them by that name, and the following document may be of
interest:
<http://www.bugnosis.org/faq.html>
If you had a decent email client (oh, let's say Eudora Pro), there are
features to disable the automatic fetching of linked HTML components (i.e.
view the mail as just the HTML you already have, as well as graphics
embedded within the message as attachments, but not go online to fetch
anything).
Ironically, there's a valid use for them -- listservs and opt-in marketing
propaganda could send a welcome message using a dot-tracker, and if the
corresponding identifier is hit on the server, you know the user has a
fully HTML-enabled email client, and can then update their profile to use
HTML. If you don't get hit, you send plaintext. Not that I've heard of
anyone actually using it for this, but it would be nice if companies did
instead of automatically dumping HTML mail on you.
>"Web bugs" are small, 1x1 (or similar-sized) transparent GIF images
aka "transpixel GIF".
>About 1 in 10 sites use them.
I suspect more _real_ (non personal homepage oriented ones) sites use
transpixel gifs -- they're frequently used for image alignment. Other
sites that track users simply have adbanners all over the place - same
thing, and most users are oblivious to the fact that those adbanners ARE
tracking you. One of the various reasons I run a (homebrew) proxy script
to eliminate adbanners (others are that printouts are cleaner, the page is
less cluttered, less needless animation, and more efficient use of
bandwidth and client browser cacheing).
>So, anyone have any idea of how to deal with this latest little spammer
>toy?
Disable downloading of images in HTML email or disable HTML rendering entirely.
Another time-proven method is to filter SPAM from your mailbox, using the
so many other characteristics which identify most of the spam out
there. You should also aggressively protect your email address.
Methinks with a decent email client, it would be easy enough to search
message bodies for your email address within links (note that listservs
that afford an uns*bscribe link would make this difficult, and of course
coded URLs wouldn't be matched), or for 'width="1"', 'height="1"' type
elements and flag these messages as _suspicious_ (procmail, which runs on
unix boxes is an excellent mail filtering utility, but such an option isn't
available to everyone). Doing such filtering AFTER "known clean" sources
would significantly reduce misidentified messages - even my own spam
filtering has a "green list" of senders and mailing lists which are not as
aggressively filtered as those of unknown origin -- virtually anything left
in my inbox (not specifically dropped into a folder) is spam these days,
and that number is very small with RBL and spam filtering heuristics
running on the server.
---
Please DO NOT carbon me on list replies. I'll get my copy from the list.
Sean B. Straw / Professional Software Engineering
Post Box 2395 / San Rafael, CA 94912-2395
