COMMAND

HTML

SYSTEMS AFFECTED

HTML

PROBLEM

Alex Prestin found following. You may have heard of "web-bugs"
before. Or you may not have. For the benefit of the
less-experienced, here's what they are and what they do.

"Web bugs" are small, 1x1 (or similar-sized) transparent GIF
images which can be used to track the movement of a user around
the web. About 1 in 10 sites use them. Their effectiveness at
this task is somewhat questionable, but they can be used more
effectively for a different task.

Alex started noticing something very disturbing in the HTML in
spam mails recently. He started seeing web bugs. Below is an
example from a recent email:

See it? A web bug. If I opened this mail in an HTML-capable
browser, that little image would've popped up and You would've
been none the wiser. Your address would also have been verified
by the sender, and stored in a large database of valid recipients.

And if you were running WinNT 4 and that referrer pointed to a
server advertising a share, NT would send your username and
password to try to log you on without your knowledge. It could
be grabbed and sent back to your machine, logon, and the atttacker
would have all rights to your machince and network that the ID
you're using has.

SOLUTION

This is a client problem that needs to be supported there. For
example, Kmail - the KDE Mailer - has a "download remote URLs"
checkbox. Simply turning that off stops HTML mail messages from
having things like <img> tags being activated.

Under Outlook, this isn't possible, but there are some things you
can do...

In Outlook, you can use Message Rules to move emails with
"Content-Type: text/html;"/"Content-Type: multipart/alternative;"
to a HTML folder. This move does not 'preview' the mail, and
links are not parsed. When you get a few html mails in your
special folder, just disable the fw client (preventing outbound
connections) and view the mail. If you get html mail internally,
you can allow that in to your Inbox with some more creative rules.