Email Certification?
sunder
sunder at sunder.net
Mon May 2 12:09:45 PDT 2005
Suggestion - you can do what advertisers do - encode a web bug image as
part of some jucy html emails on a web server that you own and check
your logs. (not sure if hotmail or whatever allows this, as I don't use
their cruft.)
Make sure that unlike a web bug you don't set the name so it looks like
a web bug (i.e. don't call it 1x1.gif) and don't set the image size
attributes on the IMG SRC tag to say 1x1. Instead make the file name
into something that looks like it came from a digital camera and put it
in a path that matches that cover story.
ie:
http://127.53.22.7/phightklub_files/2004-xmas-party-pix/JoeShmoeDrunkAndHigh/Kodak/DSC03284345.JPG
No guarantee that someone won't read the email as source and thus not
grab the image too, but you can make it look like the content of the
image is important to the message's content and jucy enough to make
whomever you believe is spying on you want to fetch it. i.e. "Here's a
picture of the party, you can clearly see he's got a crack pipe in his
hand and his eyes are dialated. I'm thinkin' of reporting him to deh
fedz, what do u think?" (I'm assuming that the feds are your threat
model here, but you can vary this up with whatever threat model you
think is appropriate. i.e. if you think your woman is spying on you,
make it a fake email from your supposed mistress, something she'd want
to open - i.e. subject "I'm gonna tell ur wife about us if you don't do X".)
I'd also make sure that nothing on the webserver itself points to the
directory where this lives so it can't be picked up by the search
spiders/bots accidentally, and make sure that you don't allow the
directory it lives in to have an auto-index.
Then, watch the server logs like a paranoid hawk with a caffeine
addiction problem and hope they bite, when they do, you know they've
read the other emails. You also have to make sure that you don't
accidentally open these emails yourself, or leave an open web browser
with your account where someone can randomly snoop.)
But of course, since you are using hotmail and you're about to receive
this email, if your account is watched, guess what, you can no longer
use this method. Oh well.
Tyler Durden wrote:
> Yes, but this almost misses the point.
>
> Is it possible to detect ('for certain', within previously mentioned
boundary conditions) that some has read it? This is a different problem
from merely trying to retain secrecy.
>
> Remember, my brain is a little punch-drunk from all the Fight Club
fighting.
> BUT, I believe that the fact that deeper TLAs desire to hide
themselves from more run-of-the-mill operations might be exploited in an
interesting way. Or at least force them to "commit" to officially
surveiling you, thereby (one hopes) subjecting them to whatever frail
tatters of the law still exist.
>
> A better example may be home security systems. If they're going to
tempest you, I'd bet they'd prefer not to inform your local security
company. They'd rather just shut down your alarm system and I bet this
is easy for them.
>
> BUT, this fact may enable one to detect (with little doubt) such an
intrusion, and about this I shall say no more...
More information about the Testlist
mailing list