I was auto-outed by an IMG tag in HTML spam
I just had my on-line pseudonym outed to my company's VP of marketing, with potentially serious internecine political consequences. It didn't even take an AOL customer service rep to do the dirty deed. Here's how it happened. I have an account unconnected with work, for personal mail, on a machine run by a friend in my wife's department at the local college. From this account, I speak my mind about my political views, my employer's spamming of their rather loosely defined lists of "customers", etc. I don't do that from my work account because I don't want any confusion about whether I am speaking for the company or not. Evidently my mention of my displeasure with my company's spamming hit a nerve with marketing. They sent a message to my off-site address (along with those of other critics about whom they wanted to know more). It was an HTML message with an embedded IMG tag. Last night about midnight, I downloaded my off-site mail with Netscape. (I was still at work because our team is debugging some killer database problems.) When Netscape saw that IMG tag, it happily connected to marketing's "customer" tracking server, and downloaded the keyed graphic. My boss just let me see the log he got from the marketing VP, showing clearly that my workstation read the message. The log was attached to a strident call for my head from the VP. Luckily, my boss agrees with my attitude, as do all of my co-workers on the engineering side of the house, and thinks I was in the right to use an off-site account. But the political fallout could be interesting. Beware "live" message content. If you don't, you may end up having to get your company's entire marketing force fired to protect yourself. Use mail readers that don't automatically process HTML and connect to image servers, accept cookies, or run javascripts. You are being watched by tricky defective, er, detective types. es.
-----BEGIN PGP SIGNED MESSAGE----- In <37a52bf54844994eb90c8e8af06b07b7@anon.efga.org>, on 02/18/98 at 03:00 AM, Anonymous <anon@anon.efga.org> said:
Use mail readers that don't automatically process HTML and connect to image servers, accept cookies, or run javascripts. You are being watched by tricky defective, er, detective types. es.
Several things here: 1. HTML in mail: There is just no place for this crap in e-mail. If multipart/alternative is used it is tolarable but pure text/html messages go into the bitbucket with a autoreply explaining to the poster the error of their ways. :) I was pleasently suprised that MS Outlook actually makes use of the multipart/alternative format (M$ actually got it right for once). Net$cape does not and will blindly send out text/html messages (after all everyone uses a web browser to read their mail) and Eudora was doing the same thing though they may have fixed this (I talked to John about this when I was at the IETF in DEC). 2. AutoProcessing of Attachments: This is *allways* a BadThing(TM). Not only is it an obvious security risk it is a PITA for the user. I would be rally pissed if my mailer launched a V-Card app everytime someone thought it was a GoodThing(TM) to add these attachments to every message they sent out. 3. AutoDownloading of Data: I imagine what happend here is the internal logic for N$ mailreader when processing a html/text e-mail message is to treat it just like a WebPage and processes it accordingly. IMHO a mail client that is going out to an external site to DL data wether it be part of a html/text message or Message/External-Body the mailer should prompt the user on wether or not he wishes to retreive the data. My recomendations is to dump the Netscape garbage and get a real e-mail client. Netsacpe has done a good job at screwing up the web we really don't need the same favor from them with e-mail. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- Tag-O-Matic: Friends don't let friends use Windows. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNOqWz49Co1n+aLhhAQE77gP/U2a/px/oEZGr9HD/FXvmzHH1DGF2E3mx 0WApF3FX2Y6s0MwBaY/t/YisZwyjki6T/xSqd2qVuADeh5sdXYN9Fd6sIon42SX2 4PBvq+HjsKNKlptASjN3x0l3RK8l7Yis47gB3igiA8m8JKMyevm7Vu1bhg572PTA Kfy8V1J9gYI= =onje -----END PGP SIGNATURE-----
William H. Geiger III enscribed thusly:
In <37a52bf54844994eb90c8e8af06b07b7@anon.efga.org>, on 02/18/98 at 03:00 AM, Anonymous <anon@anon.efga.org> said:
Use mail readers that don't automatically process HTML and connect to image servers, accept cookies, or run javascripts. You are being watched by tricky defective, er, detective types. es.
Several things here:
: : - Point 1 deleted... :
2. AutoProcessing of Attachments:
This is *allways* a BadThing(TM). Not only is it an obvious security risk it is a PITA for the user. I would be rally pissed if my mailer launched a V-Card app everytime someone thought it was a GoodThing(TM) to add these attachments to every message they sent out.
Oh it gets better than that! I know of one person who got hit with a specially formated porno-spam message. When he opened it, the html message did an autorestart on his browser and <you guessed it> there he was browsing the porno site! What a convenient feature! Especially with you boss and co-workers in the vicinity! Needless to say, that person has is now a rabid anti-html in E-Mail fanatic! : : - Remainder of message deleted... :
--------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-----BEGIN PGP SIGNED MESSAGE----- In <199802181346.IAA21174@alcove.wittsend.com>, on 02/18/98 at 08:46 AM, "Michael H. Warfield" <mhw@wittsend.com> said:
Oh it gets better than that! I know of one person who got hit with a specially formated porno-spam message. When he opened it, the html message did an autorestart on his browser and <you guessed it> there he was browsing the porno site! What a convenient feature! Especially with you boss and co-workers in the vicinity!
This could be a good sting opperation. Send an anonymous e-mail message that points to a childporn site. The [add your jackbooted thug orginization here] kick in your door as soon as they get the signal that your machine has connected to the site and downloaded the images. Hmmmm I wonder if there is a way to get the browser to DL an image without displaying it. The pictures would be sitting in your cache without even knowing it. Probably not a big issue I would imagine that a jury would convict on website logs alone even if no pictures were found on the machine. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- Tag-O-Matic: Dos: Venerable. Windows: Vulnerable. OS/2: Viable. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNOr5IY9Co1n+aLhhAQH8TgQAsZUM0aA1XLwWigarq5PCz55uc67Zvgui 5SrwS2JasrhaEoZ//inxT8kQi7qJGSdd5sA/VckOHOWNmqOz4QaJJyHIpldd14we lVtFc3t1DRxpY/RdUXEu45AvbWvVzDijAVU3nOgcaPRzllT1NYnSEuxnjKgsJdLd IzGIn8BKpuo= =SQJ/ -----END PGP SIGNATURE-----
at 03:00 AM, Anonymous <anon@anon.efga.org> said:
Use mail readers that don't automatically process HTML and connect to image servers, accept cookies, or run javascripts. You are being watched by tricky defective, er, detective types. es.
Several things here:
At 02:32 AM 2/18/98 -0500, William H. Geiger III wrote:
1. HTML in mail: There is just no place for this crap in e-mail. If multipart/alternative is used it is tolarable but pure text/html messages go into the bitbucket with a autoreply explaining to the poster the error of their ways. :)
HTML is a fine format for email. It's ASCII readable, and supports content description tags that the user's mail reader can render as bold/italic/underline/header-levels//color/etc. It's far superior to using bloated undocumented Microsoft Word attachments. 95% of the HTML email I get IS spam, but that's a separate problem :-) (After all, SPAMMERs like bright colored blinking attention-getting mail.)
2. AutoProcessing of Attachments: This is *allways* a BadThing(TM). Not only is it an obvious security risk it is a PITA for the user. I would be rally pissed if my mailer launched a V-Card app everytime someone thought it was a GoodThing(TM) to add these attachments to every message they sent out.
3. AutoDownloading of Data: I imagine what happend here is the internal logic for N$ mailreader when processing a html/text e-mail message is to treat it just like a WebPage and processes it accordingly. IMHO a mail client that is going out to an external site to DL data wether it be part of a html/text message or Message/External-Body the mailer should prompt the user on wether or not he wishes to retreive the data.
Doesn't even need a prompt - a basic missing-picture icon is fine, with a load-images command somewhere. While it's not as dangerous as auto-processing, autodownloading is annoying, and can be both a security risk (the auto-outing problem) and a denial-of-service risk. Needs to be either off by default or not there at all.
My recomendations is to dump the Netscape garbage and get a real e-mail client. Netsacpe has done a good job at screwing up the web we really don't need the same favor from them with e-mail.
Netscape mail is adequate for many people, just as Eudora is. Newer versions are pretty bloated, but including S/MIME mail encryption for everybody is a Good Thing. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
-----BEGIN PGP SIGNED MESSAGE----- In <3.0.5.32.19980220184839.008d4b50@popd.ix.netcom.com>, on 02/20/98 at 09:48 PM, Bill Stewart <bill.stewart@pobox.com> said:
at 03:00 AM, Anonymous <anon@anon.efga.org> said:
Use mail readers that don't automatically process HTML and connect to image servers, accept cookies, or run javascripts. You are being watched by tricky defective, er, detective types. es.
Several things here:
At 02:32 AM 2/18/98 -0500, William H. Geiger III wrote:
1. HTML in mail: There is just no place for this crap in e-mail. If multipart/alternative is used it is tolarable but pure text/html messages go into the bitbucket with a autoreply explaining to the poster the error of their ways. :)
HTML is a fine format for email. It's ASCII readable, and supports content description tags that the user's mail reader can render as bold/italic/underline/header-levels//color/etc. It's far superior to using bloated undocumented Microsoft Word attachments. 95% of the HTML email I get IS spam, but that's a separate problem :-) (After all, SPAMMERs like bright colored blinking attention-getting mail.)
Yes but who needs all this crap in e-mail?? E-Mail is a messaging protocol not a protocol for large documents (HTML is not sutable for large documents either but that is for another rant). WARNING: This is the only time you will see me say somthing good about MickySloth. I must admit that atleast MS Outlook follows the RFC's and makes use of multipart/alternative when sending out HTML formated messages so others are not forced to use a webbrowser to read their mail (unlike Net$cape or Eudora). There is no place for HTML in e-mail plain and simple. I do not wan't to have to load a huge bloated bugfilled webbrowser just to process my e-mail messages.
My recomendations is to dump the Netscape garbage and get a real e-mail client. Netsacpe has done a good job at screwing up the web we really don't need the same favor from them with e-mail.
Netscape mail is adequate for many people, just as Eudora is. Newer versions are pretty bloated, but including S/MIME mail encryption for everybody is a Good Thing.
Now this is really scary. You consider pushing weak 40bit S/MIME on the internet users a GoodThing(TM)? I think you need to sit down and rethink this one Bill. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- <HTML><META HTTP-EQUIV="Content-Type:text/html"> <SCRIPT> function X() {var Text = "HTML is not acceptable for using in mail " + "or usenet so your browser will stop."; alert(Text); parent.close();}; </SCRIPT> </HEAD><BODY onLoad="X();return true">Hi</HTML> Tag-O-Matic: Have you crashed your Windows today? -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNO7gPo9Co1n+aLhhAQEE4QQAkukbQzy1Dtw6g/vunMEBZ2o0tLs97lzw oOAv01R/clFfPEOS64Zk+Yk+EZPg9vp++tLzgpijMOBEz0/pyEnSE3/9mCukhMm/ iQcaUy03eLm6wjK9hDOG04ktS69mVCgK49b9pmPDCdTXJz+MhNBgbenebNGa+97k eVaA0mNCgcM= =jjnj -----END PGP SIGNATURE-----
At 09:02 AM 2/21/98 -0500, William H. Geiger III wrote:
1. HTML in mail: There is just no place for this crap in e-mail. HTML is a fine format for email. It's ASCII readable, and supports Yes but who needs all this crap in e-mail?? E-Mail is a messaging protocol not a protocol for large documents
Nonsense. E-Mail is an interface for mailing stuff to people, and an email system that can't handle large documents is broken. In particular, the MickeysoftMail view that the contents of a message belong in attachments rather than message body is broken (it's partly due to myopia, and partly because some of the popular Windows GUI programming widgets can't handle more than 32KB.)
I must admit that atleast MS Outlook follows the RFC's and makes use of multipart/alternative when sending out HTML formated messages so others are not forced to use a webbrowser to read their mail (unlike Net$cape or Eudora). There is no place for HTML in e-mail plain and simple. I do not wan't to have to load a huge bloated bugfilled webbrowser just to process my e-mail messages.
First of all, you don't need a web browser to read HTML. Eudora doesn't use one - it displays it natively. (If you attach an HTML attachment rather than putting HTML in the body, then you need an HTML viewer (which may or may not be a web browser), but that's the same as needing a text viewer to view text attachments.) (Netscape _is_ a huge bloated buggy web browser, and you could argue about whether it needs to have a mailreader hung off the side, but it's helped them with their market share, and if you don't like it, use Eudora.) Furthermore, HTML is written in ASCII, and designed to be human-readable, and designed so the user can choose how to display it - HTML viewers are supposed to display documents in the user's preferred formats given the limitations of the display device. If you like Netscape or IE 4.x browsers to view HTML, use them, but if you'd prefer Lynx for a lean, mean browser, or MSWord or another viewer like HoTMetaL, go ahead. Some people like to send rich-text attachments. HTML is a much better standard for doing that than some MS proprietary format. Most of the rich text mail I get at work is in proprietary MS formats, (most of it that I get at home is SPAM :-), which means I need to use a buggy bloated word processor to read it, except when Exchange feels like using its Outlook Evil Twin to display the stuff, but it's somewhat pleasant to have colors and fonts available.
Netscape mail is adequate for many people, just as Eudora is. Newer versions are pretty bloated, but including S/MIME mail encryption for everybody is a Good Thing. Now this is really scary. You consider pushing weak 40bit S/MIME on the internet users a GoodThing(TM)? I think you need to sit down and rethink
40 bit? Not good, but domestic versions are supposed to support 128; maybe they don't in practice. (NS 3.x was bloated enough that I haven't upgraded to 4.x) And getting people in the habit of using crypto is a good thing. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (5)
-
Anonymous -
Bill Stewart -
bill.stewart@pobox.com
-
Michael H. Warfield -
William H. Geiger III