Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 040692.html (Request Expert securityfocus.com Support)

spam technique name?

From: Calderon, Juan C (CORP, DDEMESIS) <Juan.Calderon(at)ddemesis.ge.com>
Date: Tue Apr 22 2003 - 12:06:16 EDT


Hello all

Recently I was thinking about a technique that could be used by spammers, I don't know a common name or something for such a technique, so if you know it please let me know.

PROBLEM
        How can a spammer know if the victim opened the mail?, one is the well known "Remove Me" link which, in fact, will confirm user read the message (and probably will be bombed with many more, now that he said "hey!, I'm here"). However, it requires user interaction.

SOLUTION
        A simple "solution" can be to insert a Image, Link (for CSS for example) or Script tag in the HTML mail, all those elements indicate Web browsers to send a GET request using the SRC or HREF attribute, without user interaction.

Sample Code (Mail sent to ficticious peter@foomail.com)
<HTML>
<BODY> 

	Dear Peter

	Buy our brand new product, CHEAP, CHEAP, CHEAP....
	

	Click <a href='http://www.spamer.com/ConfirmVictim.php'>Here</a> to be removed<br>
	NOTE:the presence of this link indicates this is not spamming even if you don't ask for this email

</BODY>
</HTML>

Viewing (or "previewing" in Outlook or similar) this email will automatically send a request for a "image" file served by a Server-side script, first recording the data without explicit authorization.

I've tested this (using 3 different tags) using Exchange and some others public accounts. I have succeed in all cases.

So have you seen something similar? do you think this is a kind of XSS? I do.

Do you need help?X

cheers :)


Juan C Calderon
IT Security Received on Tue Apr 22 13:09:23 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:50 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library