WebApp Sec mailing list archives

Re: spam technique name?

From: Jamie Pratt <jamie () nucdc org>
Date: Tue, 22 Apr 2003 13:34:48 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Although I don't know any specific name for this, it's really not a
new technique at all - that is why most of us
(sane) people disable inbound html emails at the client level and
just show the plaintext (html).

regards,
jamie

Calderon, Juan C (CORP, DDEMESIS) wrote:

> Hello all
>
> Recently I was thinking about a technique that could be used by
spammers, I don't know a common name or something for such a
technique, so if you know it please let me know.
>
> PROBLEM
>    How can a spammer know if the victim opened the mail?, one is the
well known "Remove Me" link which, in fact, will confirm user read
the message (and probably will be bombed with many more, now that he
said "hey!, I'm here").  However, it requires user interaction.
>
> SOLUTION
>    A simple "solution" can be to insert a Image, Link (for CSS for
example) or Script tag in the HTML mail, all those elements indicate
Web browsers to send a GET request using the SRC or HREF attribute,
without user interaction.
>
> Sample Code (Mail sent to ficticious peter () foomail com)
> <HTML>
> <BODY>
>    Dear Peter<br>
>    Buy our brand new product, CHEAP, CHEAP, CHEAP....
>    <img
src='http://www.spamer.com/AutoRecordAddress.php?email=peter%40foomail%2Ecom&apos;><br>
>    Click <a href='http://www.spamer.com/ConfirmVictim.php&apos;>Here</a>
to be removed<br>
>    NOTE:the presence of this link indicates this is not spamming even
if you don't ask for this email
> </BODY>
> </HTML>
>
> Viewing (or "previewing" in Outlook or similar) this email will
automatically send a request for a "image" file served by a
Server-side script, first recording the data without explicit
authorization.
>
> I've tested this (using 3 different tags) using Exchange and some
others public accounts. I have succeed in all cases.
>
> So have you seen something similar? do you think this is a kind of
XSS? I do.
>
> cheers :)
> ________________________________________
> Juan C Calderon
> IT Security
>
>

- --

Jamie Pratt
Systems Administrator/Programmer Analyst
Norwich University Course Development Center
jamie () nucdc org | ph. (802)485-2532

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.94

iD8DBQE+pX0mFnM/ewGVQ7IRArOBAKCADozntexoxPiswN8+lbGP2aWXnQCdGFz5
lbp/9gWPBdFmHx+lplhCU6k=
=VxTI
-----END PGP SIGNATURE-----

Current thread:

spam technique name? Calderon, Juan C (CORP, DDEMESIS) (Apr 22)
- Re: spam technique name? Bill Burge (Apr 22)
- RE: spam technique name? Richard M. Smith (Apr 22)
- Re: spam technique name? Jamie Pratt (Apr 22)
- <Possible follow-ups>
- Re: spam technique name? tetsujin (Apr 22)