Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stopping "PattyMail" Email Bugs

kdawson posted about 8 years ago | from the quit-bugging-me dept.

248

An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"

cancel ×

248 comments

Sorry! There are no comments related to the filter you selected.

pwn. (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#16425069)

FP, bitches.

First Post! (-1, Offtopic)

nlindstrom (244357) | about 8 years ago | (#16425081)

First Post! What do I win?

Get rid of pics in emails (3, Insightful)

krell (896769) | about 8 years ago | (#16425095)

Ship all email programs by default configured to not show images in the mail. That would be a start. I've seen some web clients already that automatically filter out tiny "bug" sized graphics.

Re:Get rid of pics in emails (1)

BigDogCH (760290) | about 8 years ago | (#16425207)

"I've seen some web clients already that automatically filter out tiny "bug" sized graphics."

So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for internal mail.

Re:Get rid of pics in emails (1)

michrech (468134) | about 8 years ago | (#16425331)

So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for internal mail.

Or, if they are like any large business (or university, as is my case), it may be pre-configured in their system image to display graphics by default (at least on internal mail).

use Pine (3, Funny)

baomike (143457) | about 8 years ago | (#16425377)

easy way to eliminate all sorts of crap in emails.

Re:Get rid of pics in emails (4, Informative)

DaveCar (189300) | about 8 years ago | (#16425497)


The issue discussed in TFA does not involve image bugs but iframe bugs.

Now, I don't know, but they would potentially still be triggered if you were using a "convert to plain text" filter???

Re:Get rid of pics in emails (1)

thrillseeker (518224) | about 8 years ago | (#16425577)

I've seen some web clients already that automatically filter out tiny "bug" sized graphics.

A good fix would be to have your email client fetch all external files via a caching proxy server.

Huh? (4, Insightful)

mccrew (62494) | about 8 years ago | (#16425971)

A good fix would be to have your email client fetch all external files via a caching proxy server.

I don't think so. Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier:

<img src="http://example.com/cgi-bin/genImage/lk3894343 ">

Re:Huh? (2, Interesting)

thrillseeker (518224) | about 8 years ago | (#16426267)

Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier

It depends what the bug-sender is trying to do. If he wants to see that a particular person has opened a particular email, and he controls what identifier gets sent to that person, then by tracking when the identifier is loaded he may know that the email has been read. If an ISP fetches and caches the urls of all emails sent through its system in advance of them being opened, something a firm such as Google could do easily, then the sender loses that knowledge - all he knows is that the receiving system fetched his email. However, such a middleman requires an effort on the part of the ISP.

The concern here, I think, is that of email being forwarded when, in the opinion of the originator, it shouldn't. HP (or their hired underlings) is tracking the IP address of the various parties that fetch that url. This gives them a great advantage in trying to determine who has gotten the email. However, if the receiving client used a central caching proxy server, a'la Google Cache, then HP loses that knowledge - all it now knows is that someone somewhere in the world fetched that url once (because it is cached for some amount of time). A million people could fetch that email via Google Cache now and HP would be no wiser.

However, this doesn't obviate finding that email is sent out of an internal system - since the internal system is likely not using the external cache - however, this knowledge was more easily obtained anyway by looking at the internal mail system's logs of what went out.

Google would do the world a service, and also obtain even more valuable (to them) knowledge of what was out there in the interweb tubes by offering such a service for free for any to use, and also implementing it with their own Gmail system of course - adding a bit of code to Thunderbird, etc. to send a "pre-fetch" to a proxy cache would be trivial - if the url had been previously fetched the sender would not know it had been fetched again, and would neither know who fetched it. If the reciever decided to view the images in his email, then they would, because of the proxy-cache setting, now be fetched via the proxy cache.

Re:Get rid of pics in emails (4, Insightful)

Anonymous Coward | about 8 years ago | (#16425797)

This is a perfect opportunity for the often decried personal firewalls: Add a rule to allow the mail client to connect to the mailserver on the POP3 and SMTP ports (or IMAP port) and deny all other connections. Even if you use a client which can't be configured not to load external files, the firewall will stop the webbugs.

Re:Get rid of pics in emails (2, Interesting)

eric76 (679787) | about 8 years ago | (#16426005)

It doesn't have to be just graphics.

When readnotify was mentioned during the hearings, I signed on for a trial account. In the signup page, when it asked where I heard about them, I answered that I heard about them in the Congressional Hearings on Pretexting. One web bug they used in the test messages I tried was a wav file set to play at zero volume. I didn't look at the wav file itself, so I couldn't tell if there was anything malicious in the wav file.

I did the testing from an OpenBSD machine using Sylpheed. It didn't report that I had read the e-mails unless I copied and pasted a link from the e-mail headers to a web browser.

Re:Get rid of pics in emails (1)

SydShamino (547793) | about 8 years ago | (#16426081)

I have SpamVault set to automatically break web-based images in emails. Attached images show up fine; images pulled from external sites are broken.

The only times this has ever mattered to me (i.e. I needed to see the pictures), the email has a link at the top that says "Can't read this email? Click here!". This opens a web page with the information in the email visible. (This was, as I recall, for WoW newsletters.)

In all other cases, I'm better without the graphics, and web bugs won't work. It makes me feel safe enough (when using a web-based email viewer) to open some spam messages, to check the headers for some things, without confirming my address to the spammer.

Specific Suggested Preventative Steps (1)

kristoe (119153) | about 8 years ago | (#16426143)

If you read the sourced article, disabling HTML email would not be sufficient. The tracking marker is actually embedded in an attached document. Once embedded it turns invisible, so there may be some macro associated as well. It seems that a cascade of nefarious and default behavior of a suite of MSFT products allows unsophisticated users to be duped. Suggested steps to mitigate, if not entirely eliminate, the risk of PattyMail

1) Assiduously avoid MSFT products where possible.
2) If you can avoid all, avoid MSFT Word, the probably culprit in this case. Use OpenOffice instead.
3) If you can't do that, disable automatic macro execution in MSFT Word.
4) Do not use HTML email. HTML makes things PRETTIER, not more useful. Anyone in favor of HTML mail is either a spammer or cares more for form than function. HTML mail is a useless abomination. But I digress.
5) Install something like ZoneAlarm on your individual workstation and explicitly ban all MSFT Office products from accessing the Internet, without at least popping up a dialog box. This way, if there is a "phone home" mechanism hidden in a document, you'll know when it tries and you can intercede.
6) Set your email program to alert you and request permission before sending read receipts. Never auto-send them, and do not auto-reject them either. It's useful to know who's trying to check up on you. Then, once you know someone's trying to check up on you, refuse to send the read receipt.
7) If you must follow a questionable URL of dubious provenance, consider actually using an OLDER browser version. For example, Netscape v4.7 or older. It won't render many pretty things correctly, but who cares. More importantly, it also will simply ignore a lot of the more recent tags and syntax as being noise.

Yes. (4, Insightful)

AJWM (19027) | about 8 years ago | (#16425097)

Can anything be done to stop Web bugs?"

Um, how about not reading email in HTML? Even LookOut!, er, Outlook you can set to convert mail to plain text.

Re:Yes. (-1, Troll)

Joe U (443617) | about 8 years ago | (#16425171)

heheheh, u called it LookOut! heh.. u r teh s00per funnee.

Re:Yes. (0)

Anonymous Coward | about 8 years ago | (#16425217)

You aren't.

Re:Yes. (1)

computational super (740265) | about 8 years ago | (#16425681)

I laughed.

Re:Yes. (0)

Anonymous Coward | about 8 years ago | (#16426241)

so did i. =]

c'mon people. that shit was funny. quit being so stuck up. =P

Re:Yes. (1)

eno2001 (527078) | about 8 years ago | (#16425339)

I have my home e-mail server configured to reject all HTML messages. You'd be surprised how much spam that cuts out... Any n00bs who send me HTML mail get a bounce saying "Please don't use pictures or colored fonts in your messages to me. And get a REAL mail client like Thunderbird and configure it for text-only". And I don't care if they can't reach me. If you don't know how to configure your mail client for text-only, you shouldn't be using a computer as you are a hazard to the internets.

Re:Yes. (1)

mordors9 (665662) | about 8 years ago | (#16425415)

A real email client.... Thunderbird.... surely you meant Mutt ;-)

Pfft, you kids and your bloatware. (3, Funny)

Kadin2048 (468275) | about 8 years ago | (#16425709)

A real email client ... surely you mean UNIX mail?

That ought to be good enough for anybody.

Re:Pfft, you kids and your bloatware. (2, Funny)

imaginaryelf (862886) | about 8 years ago | (#16426157)

Pfft, cat + sed is my mail reader.

Re:Yes. (1)

eno2001 (527078) | about 8 years ago | (#16425747)

Actually, thanks for noticing the typo, I meant:

telnet [mailhost] 143
a01 LOGIN [username] [password]
a02 SELECT Inbox ... hehehehe

Re:Yes. (1)

Dare nMc (468959) | about 8 years ago | (#16425885)

> configure it for text-only


didn't work, since I easily tracked this text only email back to zdnet. [zdnet.com]


:^)

Re:Yes. (1)

tylernt (581794) | about 8 years ago | (#16426223)

While rejecting HTML email is rather extreme and not really viable for a business, I think a better solution would be to text-ify the HTML at the mail server, such as with the PHP striptags() function. Another option would be to drop HTML type MIME attachments, as most (but not all) senders also include a plaintext version of the email that you could still read.

That way you can still see the content, yet not annoy the sender. Should be pretty easy with Sendmail and a Procmail rule. It would break PGP S/MIME, though, since you're "tampering" with the email body.

Re:Yes. (1, Informative)

Anonymous Coward | about 8 years ago | (#16425359)

Um, how about not reading email in HTML?

If you're using Thunderbird [mozilla.com] , by default it won't display images in e-mails. Is says 'to protect your privacy, these images have not been shown', and offers a button to click to show the images.

Re:Yes. (1)

Speare (84249) | about 8 years ago | (#16425389)

Many email clients offer the chance to view only the plaintext representation, but if you forward the email to other parties, the html block continues to propagate. That means web bugs will still track most of the journey, as long as a number of people don't disable html or remote-image-fetching features.

How many people (besides c|net reporters today) are paranoid enough to view-as-text, cut and paste only the text, and then forward a sanitized version of the message? At this point, it's easier to just draft a new message and paraphrase, "Bob, did you see an email from Alice commenting about the Widget lately?"

But... (1)

BobBoring (18422) | about 8 years ago | (#16425921)

At this point, it's easier to just draft a new message and paraphrase, "Bob, did you see an email from Alice commenting about the Widget lately?"

A new message leaves the reference too vague for most Bid'ness Bob's to understand the question. You'd have to include the message or eight pages of text to get them into context on the discussion. That kind of defeats "it's easier" part of your suggestion.

Re:Yes. (2, Informative)

John.P.Jones (601028) | about 8 years ago | (#16425541)

In this case it isn't HTML that is the problem it is the automated referencing of external data (images) via HTML, my mail program kindly asks before downloading these images, a really nice sender would attach the images so I know they aren't tracking me.

Re:Yes. (1)

fermion (181285) | about 8 years ago | (#16426253)

And for all you anti-mac people, make sure that everyone knows that mail.app has no such default ability, proving that Windows is the ultimate OS and mac is the POS. The best you can do is not display remote images, which will solve the web bug problem, but not the phishing problem. Also, since the images are shown as question marks, instead of unredered HTML gibberish, the user is more likely to click the icon. Attribute this to the vast apple marketing machine, and one clear instance of general disregard for the customer. I mean how much would the addition on one little box cost them?

Duh, use a non html email client (1)

stabiesoft (733417) | about 8 years ago | (#16425107)

like pine

Re:Duh, use a non html email client (2, Insightful)

Sardonis (596687) | about 8 years ago | (#16425527)

pine is non-free (http://www.gnu.org/philosophy/license-list.html), use mutt

Re:Duh, use a non html email client (1)

DaveCar (189300) | about 8 years ago | (#16425559)


I honestly don't know, but assuming you are not viewing the source HTML but Pine's formatted text version of it, would Pine still trigger an IFRAME bug as it formats the HTML message?

Usual FUD (4, Insightful)

The Bungi (221687) | about 8 years ago | (#16425111)

Outlook is doing exactly what it needs to do, blocking download of images [zdnet.com] . If it lacks the specialization of countering these "bugs" that's too bad for corporate sleuths and leakers, but it does not expose the user to anything, this is not a vulnerability and the "patch" mentioned will simply give you an additional option regarding image handling. I wouldn't think the "let me forward this mail with the secret tracking device turned off" functionality was high on Microsoft's feature list when they released OLK2003.

Re:Usual FUD (3, Insightful)

NewWorldDan (899800) | about 8 years ago | (#16426259)

The only thing I don't like about Outlook's handling of this is that there isn't a way to download specific image files in the message. It's all or none.

Nothing new here... (1)

jo42 (227475) | about 8 years ago | (#16425113)

> 'Web bug'

Nothing new here. Saw this techinque, or do we call them "patterns" these days, used years ago by spammers.

Just set Outlook not to open image attachements...

Re:Nothing new here... (1)

smbarbour (893880) | about 8 years ago | (#16425455)

These are still used (albeit less frequently due to blocking) for email advertisements. In marketing-speak, they are known as "tracking pixels". They are commonly used to determine the number of "impressions" made in a CPM (Cost per mille (thousand)) campaign.

Tracking pixels are also used on web pages for CPA (cost per action (click-throughs)) and CPL (cost per lead (submissions)) campaigns.

Re:Nothing new here... (3, Informative)

DaveCar (189300) | about 8 years ago | (#16425609)

Bah. RTFA. It's not about image bugs.

Re:Nothing new here... (0)

Anonymous Coward | about 8 years ago | (#16425805)

Bah. RTFA. It's not about image bugs.


Exactly. In TFA it says the problem is iframe bugs. Most email clients will happily retrieve contents of an iframe, which has the same effect as an image bug.

"Can anything be done to stop Web bugs?" (4, Funny)

bunions (970377) | about 8 years ago | (#16425119)

Sadly, no. Since HTML is a vital component of email, this sort of vulerability is inherent in the 'email' system, much like compromised cookies and overridden passwords. Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream.

Moving forward. (4, Funny)

krell (896769) | about 8 years ago | (#16425187)

"Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream."

I've even heard that someone is working on a revolutionary OS that runs entirely in text mode, and uses command-line control, and is completely impervious to web bugs, Windows trojans, and other such infestations.

Re:Moving forward. (3, Funny)

Pinky (738) | about 8 years ago | (#16425463)

Ah yes, Amish OS 1.0.

Alternatively you can unplug the three pronged virus enabler device that runs from every computer to the electrical socket.

Apple Ultra Cube (1)

krell (896769) | about 8 years ago | (#16425601)

"Ah yes, Amish OS 1.0."

Ah. You might have also heard of the secret Apple Ultra-Cube project. An amazing revolutionary project that was revolutionary because not only did not come without a floppy drive, it came without USB and CD/DVD as well (in order for Apple to force us to leave behind clumsy legacy storage). Driver problems were a thing of the past: it interfaced equally well with ANY peripheral hardware available. The amazingly simple interface design completely got rid of cable-clutter. It was hard to steal due to ingeniously designed mass properties that made people tend to leave it where it was installed. It was completely impervious to any malware. They pulled the plug on the project once Dvorak found out that it was merely a painted cinderblock.

Re:"Can anything be done to stop Web bugs?" (1)

rhavenn (97211) | about 8 years ago | (#16425241)

HTML is NOT a vital companent of email. What MS porridge were you raised on? HTML has absolutely nothing to do with email and email works 100% fine without it.

Re:"Can anything be done to stop Web bugs?" (2, Funny)

Anonymous Coward | about 8 years ago | (#16425271)

Sir, your sarcasm detector appears to be malfunctioning.

Re:"Can anything be done to stop Web bugs?" (2, Funny)

rhavenn (97211) | about 8 years ago | (#16425373)

Darn it. I just had it replaced too.

Re:"Can anything be done to stop Web bugs?" (0)

Anonymous Coward | about 8 years ago | (#16425637)

Sarcasm detector? Like that'd be useful.

Re:"Can anything be done to stop Web bugs?" (0)

Anonymous Coward | about 8 years ago | (#16425735)

And how do you suppose people would put smileys into their messages, hmmm??? Removing HTML from e-mail would be like, like, oh, running a computer without a GUI.

It's inconceivable!

Re:"Can anything be done to stop Web bugs?" (1)

UP_Minstrel (70371) | about 8 years ago | (#16425891)

HTML is not a vital component of email. Never has been. Its been a vital part of making emails look pretty.

95% of the email I get is pure text in html formatting. HTML formatting is the crap packing peanuts you get in a box containing an item 1/10th the size of the carton used to ship it.

The other 5% is spam provided as images linked from web servers out on the net.

elm++

That's a Lot of Fallout (1)

eldavojohn (898314) | about 8 years ago | (#16425153)

In other news, Webster's Dictionary has replaced the word 'Machiavellian' with the word 'Dunnish' although the meaning will remain "Suggestive of or characterized by expediency, deceit, and cunning."

You know you've done something wrong when your name becomes a common term for something evil like PattyMail. I certainly hope she's still not blowing this off like she didn't do anything wrong. Then again, if everyone in corporate America does this, I hope that comes to light also.

Lesson for leakers (1)

From A Far Away Land (930780) | about 8 years ago | (#16425163)

Do not use a computer traceable to you, to pass sensitive information on to where you think it needs to go.

Print the email, and store it in a safe place.
Transcribe the information to another paper media, and pass that along as anonymously as possible - the mail with non-lick stamps and evelopes possibly.

Re:Lesson for leakers (1)

Constantine Evans (969815) | about 8 years ago | (#16425493)

It is quite probable that someone leaking information is going to take enough precautions that they will not be traceable by methods like this. The people who suffer most are those who aren't passing sensitive information along.

So, is it spyware? (4, Interesting)

BigDogCH (760290) | about 8 years ago | (#16425165)

Wikipedia explains web bugs. http://en.wikipedia.org/wiki/Web_bugs [wikipedia.org]

So, is this spyware, or not? I would say yes. The website is spyware, as it is tracking where it's user comes from....but then isn't all of the internet spyware?

The ZDnet article asks it best......"Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below."

Why would the sender have to do a thing? (1)

krell (896769) | about 8 years ago | (#16425245)

"maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is."

Why would the sender have to identify email as such? The "bad" senders would ignore such requirements anyway. Realize instead that any email client can easily recognize such emails by looking at the links inside the body of the mail. This would be extremely reliable and foolproof (i.e. anything that uses an outside linking HTML tag is suspect).

Solution is NOT regulation. (3, Insightful)

Kadin2048 (468275) | about 8 years ago | (#16425855)

This sounds like an invitation for some dumbass law "requiring" people to disclose when an email has tracking elements ... except that it would be impossible to enforce, and the spammers/malware-writers would just ignore it anyway.

The solution here isn't regulation. It's just for people to decide whether a feature (in this case, HTML mail) is really worth the risk.

Alterately, we could 'neuter' HTML mail so that only the most basic formatting commands worked; use it purely as a style markup language, with no iframes, images, or externally linked text. That seems like it would solve the problem while preserving the reason 90% of idiot users want HTML: so they can use bold/italic/flashing-red-text or whatever.

Wow, security holes ... for sale! (0)

Anonymous Coward | about 8 years ago | (#16425189)

I wonder what else will soon become a business model?

Furthermore, how is it that profits always outweigh ethics?

Plain Text Only (3, Insightful)

rhavenn (97211) | about 8 years ago | (#16425191)

Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.

Re:Plain Text Only (3, Funny)

Red Flayer (890720) | about 8 years ago | (#16426047)

Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.
Yeah, but wouldn't that be much more emphatic if it was written like this:

Don't read your email in HTML format. Problem solved.
  • There is nothing to be said in email that can't be said in plaintext and
  • I really could care less to see your smiley face sig and pretty flower background.

Re:Plain Text Only (1, Informative)

kristoe (119153) | about 8 years ago | (#16426067)

If you read the sourced article, disabling HTML email would not be sufficient. The tracking market is actually embedded in an attached document. Once embedded it turns invisible, so there may be some macro associated as well. It seems that a cascade of nefarious and default behavior of a suite of MSFT products allows unsophisticated users to be duped. Suggested steps to mitigate, if not entirely eliminate, the risk of PattyMail

1) Assiduously avoid MSFT products where possible.
2) If you can avoid all, avoid MSFT Word, the probably culprit in this case. Use OpenOffice instead.
3) If you can't do that, disable automatic macro execution in MSFT Word.
4) Do not use HTML email. HTML makes things PRETTIER, not more useful. Anyone in favor of HTML mail is either a spammer or cares more for form than function. HTML mail is a useless abomination. But I digress.
5) Install something like ZoneAlarm on your individual workstation and explicitly ban all MSFT Office products from accessing the Internet, without at least popping up a dialog box. This way, if there is a "phone home" mechanism hidden in a document, you'll know when it tries and you can intercede.
6) Set your email program to alert you and request permission before sending read receipts. Never auto-send them, and do not auto-reject them either. It's useful to know who's trying to check up on you. Then, once you know someone's trying to check up on you, refuse to send the read receipt.
7) If you must follow a questionable URL of dubious provenance, consider actually using an OLDER browser version. For example, Netscape v4.7 or older. It won't render many pretty things correctly, but who cares. More importantly, it also will simply ignore a lot of the more recent tags and syntax as being noise.

Paul Tomblin said it best. (4, Funny)

Tackhead (54550) | about 8 years ago | (#16425213)

> There may not be an easy way to disable it in today's email software, short of turning off HTML email entirely.

"The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism."

- Paul Tomblin was talking about USENET when he said this, but he was right.

Re:Paul Tomblin said it best. (2, Funny)

muellerr1 (868578) | about 8 years ago | (#16425795)

How much do hitmen charge for dog fucking?

"smash his computer into little bits" (1)

Anomalyst (742352) | about 8 years ago | (#16425905)

> smash his computer into little bits
I thought bits were dimensionless like a point in a line, or the protagonist in "Points on a Plane" (still in production).

I can name the solution in four words (1)

Billosaur (927319) | about 8 years ago | (#16425259)

United States Postal Service

Four more words for you (1)

rewt66 (738525) | about 8 years ago | (#16425561)

Certified mail, return receipt.

US Mail is not safe either. (1)

arthurpaliden (939626) | about 8 years ago | (#16425947)

Don't do that. The Government will read your mail. After all you might be a terrorist? Why else would you send your stuff in a closed and sealed envelope. Do you have something to hide?

How about an anonymizer for mail-induced browsing? (1)

Animats (122034) | about 8 years ago | (#16425261)

Mail programs now need the option to retrieve images through an anonymizer.

Re:How about an anonymizer for mail-induced browsi (0)

Anonymous Coward | about 8 years ago | (#16425401)

Won't work. If the URL is message-specific, it does not matter where the request
appears to come from.

Re:How about an anonymizer for mail-induced browsi (1)

DigitalCrackPipe (626884) | about 8 years ago | (#16425611)

Mail programs now need the option to retrieve images through an anonymizer.

The problem is that the image name will allow the user to be traced, so requesting it anonymously still indicates who inititially got the email. The image name can be generated uniqe to each email sent.

Re:How about an anonymizer for mail-induced browsi (1)

Animats (122034) | about 8 years ago | (#16425807)

The sender knows who initially got the e-mail; that's the addressee. The main article was about tracking to whom the mail was forwarded. Forwarded copies will have the same image links as the original. So if the original recipient and the recipient of a forwarded copy both have anonymous image browsing, the original sender will know only that the message is being read again, but won't know from where.

Re:How about an anonymizer for mail-induced browsi (1)

sanermind (512885) | about 8 years ago | (#16425887)

That wouldn't work, at least as far as preventing someone from knowing you have opened the mail.

Mutt ! (2, Informative)

mpapet (761907) | about 8 years ago | (#16425319)

Mutt!

Finally! (2, Funny)

Anonymous Coward | about 8 years ago | (#16425383)

A word gayer than "blog." Thank you, Pattymail!

Re:Finally! (0)

Anonymous Coward | about 8 years ago | (#16426211)

Although the mods won't recognize it, this is truly the most insightful post I've read on /. in a hell of a long time.

More control of which images to view would be nice (1)

yuna49 (905461) | about 8 years ago | (#16425421)

I read mail in Thunderbird with images turned off. Unfortunately it's an all-or-nothing choice. A better solution would allow me to right-click a specific blocked image and let it through. That way I could see the images I want to see but still keep those little 1x1 gifs from phoning home.

Block hazardous html (1)

davidwr (791652) | about 8 years ago | (#16425433)

I use a web-based mail provider. It blocks images and a lot of potentially-hazardous html.

No reason a local mail client couldn't do the same. Ditto third-party security software that prescreened email.

Block in the firewall? (3, Funny)

DamienMcKenna (181101) | about 8 years ago | (#16425435)

How about blocking the offending IP ranges at the firewall level? Anyone know what IPs to block?

Not that easy (1)

Kadin2048 (468275) | about 8 years ago | (#16426207)

The problem is that it's not just a certain range of people who are doing this.

Tons of companies, including shady ones (spammers, phishers, Microsoft), use email tracking "bugs" to determine whether an email has been read, if an address is 'live,' or determine a user's IP address or location.

Blocking their IPs would be as nontrivial a process as blocking all spam-producing IPs. And we know that's not exactly easy (how's that going, SpamHaus?).

The "solution" in my mind, is just to block all the HTML elements which can trigger loading of resources from remote servers. Basic formatting tags, like italic, bold, and color are fine, as are paragraphs and basic CSS. But remote images are out -- if you want to include images, put them in the email as a MIME attachment where they belong.

Any time you load an image or other element from a remote server, you potentially give away your location, and information about your address (e.g., whether your email address is valid -- useful to a spammer). The only way to stop these sort of attacks is just to not load anything remotely. If it doesn't come in as part of the message, it should be loaded only upon explicit command of the user, and perhaps with the address displayed (in a dialog), item by item.

I can think of three ways... (1, Informative)

DoctorPepper (92269) | about 8 years ago | (#16425447)

Elm, Mutt, Pine. Need I say more?

I have to admit, I've done this... (1)

sugapablo (600023) | about 8 years ago | (#16425473)

I've included small images in emails to people. Images that were hosted on my webserver.

So basically, I'd just check my logs to see if they read the mail or not. In those logs, of course are IP, OS type, browser type, etc. I never really thought of it on the scale of a service such as ReadNotify, but I suppose, that's my shortsightedness, huh? :)

HTML mail doesn't need network access (1)

entrylevel (559061) | about 8 years ago | (#16425519)

Mail user agents should be allowed network access only for the protocols that are actually useful (POP, IMAP, MAPI, LDAP, depending on your needs, and the application's design).

Allowing the content of an e-mail message to establish arbitrary network connections at all (or at the very least, without daully authorized consent from the user) is an immediate and obvious security risk. I understand that it is easiest to simply embed a full-fledged web browser component in the mail client, but it does not need network access of any kind to render the content passed to it.

Any word on whether GMail is vulnerable to such web bugs? I know they do a lot of filtering to strip out javascript and image-based exploits, but this sounds to be iframe-based. I'm a bit busy to test it right now, but this might be the final straw that forces me to use mutt as my GMail front-end. (I love mutt, but the GMail web ui is one of the few e-mail interfaces I actually like better.)

Yay! At last someone bothered to read TFA (1)

DaveCar (189300) | about 8 years ago | (#16425827)


Instead of of smugly assuming you are invulnerable to image bugs like almost every other poster you took the time to read the article and determine it was about IFRAME bugs!

Most insightful post so far! Well done :)

Re:HTML mail doesn't need network access (0)

Anonymous Coward | about 8 years ago | (#16426023)

I tried crafting a simple html mail and sending it to my gmail account and the iframe didn't show up. Looks like gmail is safe. Or that I did it wrong.

Please don't send me Microsoft Word documents (0)

Anonymous Coward | about 8 years ago | (#16425545)

Sending Microsoft Word files can violate your privacy.
http://www.nothingisreal.com/dfki/no-word [nothingisreal.com]

Open source lagging again (0)

Anonymous Coward | about 8 years ago | (#16425571)

I been trying to get this tracking bug to work in my email reader, Mutt, but with no luck. Open source will never be viable on the desktop until we can get these kinds of features implemented.

I'm going to open a feature request witht the Mutt team, but I'm not very hopeful.

Here's a start: (1)

gblues (90260) | about 8 years ago | (#16425597)

Can anything be done to stop Web bugs?

$body =~ s///g; # get rid of IMG tags
$body =~ s/url\(.*\)//g; # get rid of CSS links too

Problem solved.

Nathan

Re:Here's a start: (1)

gblues (90260) | about 8 years ago | (#16425647)

Bah. Let's try that again:

$body =~ s/<img .*>//g; # get rid of IMG tags
$body =~ s/url\(.*\)//g; # get rid of CSS links too.

Problem Solved (take 2)

Re:Here's a start: (1)

Vengie (533896) | about 8 years ago | (#16425781)

Way to forget to use minimal matching. You just obliterated the entire body text. Your first replacement will remove everything from the first <img until the final /html>

Problem NOT Solved (2, Informative)

DaveCar (189300) | about 8 years ago | (#16425727)

This is NOT about image bugs, it is about IFRAME bugs.

http://www.freedom-to-tinker.com/?p=610 [freedom-to-tinker.com]

Security relies on ignorance (1)

erroneus (253617) | about 8 years ago | (#16425693)

The more I think about this the more I can appreciate the general simplistic truth of it.

As the demographic of Slashdot is generally technically inclined, we see workarounds as obvious "no brainers." We offer up solutions such as "use text-only! [idiot!]" Other things like keeping up with patches and the like are also pretty similar in nature.

The fact is, the general public is non-technical and wouldn't know where to begin to look for "web bugs" or any other such vulnerability.

And as for HP claiming they aren't doing anything wrong in this practice is, to me, just a step below Sony/BMG's arrogance displayed in their root-kit CDs. They too acknowledge no wrong-doing...

In the vein of "Cookies" (0)

Anonymous Coward | about 8 years ago | (#16425739)

Shouldn't these be called "Pattycakes"?

Spamhaus to the rescue? (1)

krell (896769) | about 8 years ago | (#16425801)

Now, if we can get Spamhaus (or someone similar) to put HP and readnotify on its block lists...

With Outlook, just use a software firewall (3, Insightful)

Curmudgeonlyoldbloke (850482) | about 8 years ago | (#16425815)

Using a crappy old version of Zonealarm here, but any decent software firewall would do the same.

Zonealalarm's pretty basic - it* only has concepts of "local" and "Internet" zones; simply ensure that the Exchange server that it wants to connect to is in the "local" zone and that Outlook can't access the "Internet" zone.

*the version I'm using, anyway.

Re:With Outlook, just use a software firewall (1)

fluffy99 (870997) | about 8 years ago | (#16426119)

Yup, just configure your software firewall to prevent Outlook from hitting anything but email ports on your email server. The drawback is that forwarding messages with these links can hang Outlook while it tries to retrieve the images.

Can anything be done to stop Web bugs? (4, Funny)

Otter Escaping North (945051) | about 8 years ago | (#16425909)

Can anything be done to stop Web bugs?

Funny you should ascii...

Re:Can anything be done to stop Web bugs? (2, Funny)

CDS (143158) | about 8 years ago | (#16426185)

ascii stupid question, get a silly ansi...

Two Solutions (1, Informative)

ewhac (5844) | about 8 years ago | (#16425929)

Solution #1:
  • Delete Outlook.
  • Install Thunderbird [mozilla.com] .
  • Open the Preferences panel.
  • Click on the Privacy tab.
  • Select the option, "Block loading of external images."
  • Select the option, "Block JavaScript."
  • Click OK.
  • You're done.

Solution #2:

  • Delete Outlook.
  • Install mutt [mutt.org] .
  • You're done.

Schwab

Solution number three... (1, Funny)

Anonymous Coward | about 8 years ago | (#16426065)

Solution number three:

less /var/spool/mail/me

Mailscanner (1)

terrymr (316118) | about 8 years ago | (#16426163)

Mailscanner [mailscanner.tv] is an excellent spam/virus/web bug scanning tool. It can be set to disarm iframe tags, block phishing emails and many other cool things.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?