"Marcel Popescu" <[EMAIL PROTECTED]> writes:
> X-Loop: openpgp.net
> From: [EMAIL PROTECTED]
> To: Multiple recipients of list
> Sent: Friday, June 16, 2000 5:33 AM
> Subject: NameBase is unique!
>
> Have you seen what this fucker is doing? At the end of the message, there's
> this thing:
>
> [I removed the tags, just in case]
>
> window.open("http://199.170.132.104%2fcgif%2fc054010.html%3f.www.cookiefromh
> ell.com", "_blank",
> "top=9999,left=9999,screenX=9999,screenY=9999,height=1,width=1,"+
> "location=no,resizable=no,scrollbars=no,status=no,toolbar=no");
He's doing what is a fairly standard exploit these days. He's opening
another browser window with an area one pixel square, and throwing it
either off the screen or at the far upper left hand corner. This opens
the connection, revealing your IP address to the other machine.
Other security vulnerabilities aside, this can be used to correlate
email addresses with nyms, correlate IP addresses with email addresses
or nyms, and some other similar things. It also probably provides a
smooth way to tell the server some things about your system. It'll
probably tell them what your OS is, and what browser you use. Also,
the guy might be able to deduce some things. If you haven't upgraded
MSIE from version 3 and you're running Windows 95, he can (correctly
or not) conclude that you haven't updated Windows with security
patches either. That's one example.
> Does that IP look like a good address to test your latest tools or what?
Sure does.
For reference, this is another guy returning ICMP destination
unreachable errors in response to pings. Port 80 is open. Port 23 is
open, but promptly closes the connection, probably indicating that
he's using either a honeypot program like Portsentry, or is using
hosts.deny.
The site is registered with Network Solution as:
Blythe Systems (BLYTHE-DOM)
339 Lafayette Street
New York, NY 10012
US
The technical contact is named Bob Richards <[EMAIL PROTECTED]>.
The operating system appears to be Linux with a kernel version between
2.1.122 and 2.2.14. Wasn't there a nice setuid() bug in 2.2.14
exploitable from shell?
> I never studied the wonderful world of cookies. Will getting one also send
> my email to the server? If that's true, I'll have to expect even more
> spam...
With web browsers, particularly those from Microsoft, who knows these
days. This is another good reason not to honor things
like Java or Javascript. If you're using a Microsoft product, this
pretty much goes without saying, given the routine holes in IE and
Outlook.
I understand how interesting it can be to support these kinds of
extensions in email, but they almost universally aren't
necessary. Mail readers can just highlight things which look like
URLs, meaning that tags aren't required. Sooner or later there surely
*will* be a good extension format (HTML isn't it), but it will have to
be cross-platform, with good support and good integration. I don't see
that occuring anytime soon.
