Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: leaking

From: "Alerta Redsegura" <alerta () redsegura com>
Date: Wed, 12 May 2004 12:46:52 -0500
In the specific case we are talking about here:

1. Somebody sends a message to the list from a web-based e-mail service.
2. All messages sent from this web-based e-mail service have a banner.
3. The banner is an "img" tag with an "a href" to click on it.
4. The banner is not shown via "script" tags.
5. Neither the sender nor the web-based e-mail service have the list e-mail
addresses: the message is sent to the list address!



Now, I repeat the question:

How can the web-based email service in this particular case, gather email
addresses from the members of this list via this banner?



------

Aaron Peterson wrote:


You don't _collect_ email addresses (they obviously already have it if they
are sending you email with it, ;)  But you can verify email addresses with
it.

The easiest would be to put a hash or some other identifier of the users
email address in the url for the image, then have mod_rewrite rewrite the
url (or not, who cares... you just wanted to verify the email address was
good) to an actual image on your system, and log the embeded info and
compare to your known addresses.


------

Jimmy Kuijpers wrote:


The beatch is probably collecting our addresses for spam.


------







IƱigo Koch
Red Segura

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: