Greetings all I know this might have been brought up before so please disregard if so. Thought it might be of interest to some. While looking for ways to indicate that nimda/codered ect was pushed to a client within my network, I tripped across something completely unrelated, but interesting. It seems these email clients that utilize html formating also send out information unknowingly. I know nothing new, but heres the senario. A spam email arrives, client opens/previews the email and its pretty gifs/jpgs ect, while at the bottom a link is retrieving what looks like a logo. Example: <a href="http://www.em5000.com"><img src="http://www.em5000.com/counter.php?client=newhorizons&email=myemail@addy .com&msgid=281101000" width="109" height="16" border="0" alt="em5000.com"></a> What it does in fact is send information to a host (from the firewall's view):
12:54:01: %PIX-5-304001: 10.1.1.10 Accessed URL 66.77.58.92:/counter.php?client=newhorizons&email=myemail@domain.com&msgid =281101000
(from the host's view): GET /counter.php?client=newhorizons&email=myemail@domain.com&msgid=281101000 HTTP/1.1 which in turn (I suppose) places my email address into a database thats used for spaming. i.e. verifying that my email address is valid. While watching for this behavior, I saw about 10 other nodes/users do this, none of which knew the information had been sent out. Kind of sneaky if you ask me. Cheers -Joe
It seems these email clients that utilize html formating also send out information unknowingly. I know nothing new, but heres
It's an old, but very good trick. They grab you from newsgroups the same way. One they get you.. they'll get you good. em5000.com, pm0.com, m0.net and others are famous for it. What you do to stop it.. is up to you. Yet another reason to use Pine (or other HTML/browser impaired e-mail).
participants (2)
-
Joe Blanchard
-
mike harrison