[22356] in bugtraq
Re: HTML email "bug", of sorts.
daemon@ATHENA.MIT.EDU (Curt Sampson)
Tue Aug 21 13:25:11 2001
Date: Tue, 21 Aug 2001 17:33:43 +0900 (JST)
From: Curt Sampson <cjs@cynic.net>
To: Bear Giles <bear@coyotesong.com>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <200108202133.PAA17268@eris.coyotesong.com>
Message-ID: <Pine.LNX.4.33.0108211722160.16009-100000@denkigama.nat.shibuya.blink.co.jp>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 20 Aug 2001, Bear Giles wrote:
> For everything that matches, look for any height and width attributes
> for the image. If it's 1, you have a web bug. Even if it's 2-8 or so,
> it's probably still a web bug.
> ...
> 2) on a related note, if you see anything like
> <img src="http://spammer.com/images/foo.gif?some-random-string-here">
> you can snip the "?some-random-string-here" part. Their logs may
Nah. My first thought, when asked about the technical details of e-mail
bugs at a certain company whose name I won't mention to protect the
guilty, was, "How do we make sure it doesn't look like a bug?"
So you insert this:
<img src="http://www.example.com/imgs/18465485943/foo.gif" width=400 height=90>
as your company logo in the newsletter or whatever you're sending out.
That invokes a servlet or whatever called /imgs which looks at the
remainder of the path as a parameter, logs a hit from 18465485943 in
your database (we would have associated this with a particular piece of
mail that went out) and returns your company logo. You make sure that
the header specifies that it expires instantly, of course, so you get
information that the message has been forwarded or re-read or whatever.
I really don't see any way to protect against these bugs, except not
to retrieve external images. And that, as others have mentioned, is not
likely to go over so well with a lot of users out there.
cjs
--
Curt Sampson <cjs@cynic.net> +81 3 5778 0123 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
