RE: HTML email "bug", of sorts.

[Ben Yu <byu () skygo com>]

This past thread has been following the lines of how the
img tag can be used to track a person's usage, or verify
the existence of an email address. This is just an issue
of privacy.

Maybe it's obvious, but I'd like to point it out anyways.
There exists more dangerous and malicious use of this
hole. It would be possible for a person to send an
email via some anonymous remailer to introduce a URL
attack to the world. This essentially gets the receiver
to execute the attack. Virus writers, like the one of
code red, could have used something like this to
remove the possibility that it could be traced back.

All the ideas of filtering, and the use of different
clients are good ideas. But in this real world, many
people just use outlook because work requires it (me
included). I think that is where a fix needs to implemented.
I don't even see having an option to disable downloading
of images as a good fix. People want to see the images
their friends send. If by default we don't download,
yet still leave an option so the user can 'double-click',
we're still vulnerable to a bit of social engineering.

There just doesn't seem to be a good compromise here.


-----Original Message-----
From: Alex Prestin [mailto:wakko () bitey net]
Sent: Saturday, August 18, 2001 3:17 AM
To: bugtraq () securityfocus com
Subject: HTML email "bug", of sorts.



I'm not sure this is the proper forum for "conspiracy-theory" bugs, but I
figured this would be of interest to anyone trying to prevent the names of
valid email accounts they either own or administer from being verified and
added to "official" known-good spam rosters.

You may have heard of "web-bugs" before.  Or you may not have.  For the
benefit of the less-experienced, here's what they are and what they do:

"Web bugs" are small, 1x1 (or similar-sized) transparent GIF images which
can be used to track the movement of a user around the web.  About 1 in 10
sites use them.  Their effectiveness at this task is somewhat
questionable, but they can be used more effectively for a different task:

I've started noticing something very disturbing in the HTML in spam mails
recently.  I've started seeing web bugs.  Below is an example from a
recent email:

<img
src="http://www.megahardcoresex.com/sites/XXXXXXXX0 (continued)
3b/sf03b08152001.gif?M=XXXXXXXXX&ID=wakko () bitey net" width="1" height="1"> 

See it?  A web bug.  If I opened this mail in an HTML-capable browser,
that little image would've popped up and I would've been none the
wiser.  My address would also have been verified by the sender, and stored
in a large database of valid recipients.

So, anyone have any idea of how to deal with this latest little spammer
toy?  Is there any effective way to filter out web bugs without adversely
affecting the delivery intact of legitimate messages?  Could software
change to at least warn viewers that this HTML viewer is accessing offsite
content?  Is it worth doing?

Anyone?  Bueller?

- A.P.