Plain text email = good, html email = bad

date posted 23rd January 2001 22:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as another issue to html email think about this.

I am not saying that anyone on this list would do such a thing, but
it is definately possible and sending a single email to a list such
as this is an easy way to target many people all at once.

There was a discussion recently on theregister.co.uk about how a
graphic in an html email can be used to do nasty things. No bad code
in the email at all, just a plain graphic nothing sinister in that
itself. (or so you think)

I was reading the request for ideas and came up with a nasty solution
(purely for educational research)

Insert a 1*1 image (wouldnt be noticed by viewer) linked to a .cgi on
a remote server. The server receives the request for the image, and
serves the image.

The IP is passed to an aplication such as Snort etc. (basically a
vulnerabilty scanner) that wil scan the IP for vulnerabilites and
write the results to a log file. A cron job is set to run a further
script that will parse the log file and depending on results launch
an attack / infect / root the machine.

And people ask why I dont like html emails !!!!!

- --
Jason Duke || Tel +44(0)7050802831
Founder || Fax +44(0)7050802832
One Eye Group || Email [EMAIL REMOVED]

Looking Forward With Dedicated Vision

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use

iQA/AwUBOm4ANJ9nP977T15sEQKFJgCcDhQlrDpIoDNCe9xgBbYmvyWn9usAnidi
EuorELQfiGNGosr6PrmPgXsj
=TqtG
-----END PGP SIGNATURE-----