Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: CSS in E-Mails possible E-Mail-Validity Check for Spammers?
From: Daniel Veditz <dveditz () cruzio com>
Date: Thu, 04 Nov 2004 11:53:42 -0800

plonk () datenritter de wrote:
I think you all know, how this enables spammers to use HTTP-requests for
CSS-files to check the validity of e-mails-addresses: Instead of
embedding an image with an identification code assigned to the
receipients e-mail-address in the address or as a parameter to the
request, they can now embed an external style sheet definition in
HTML-code with the same "functionality". Analyzing the requests on the
server will show the codes corresponding to valid e-mail-addresses.

Services like Readnotify are already using techniques like this. Currently
the use of <iframe> is popular, for example.

Thunderbird 0.9 (just released) should block all the cases we know about
including CSS stylesheets and frames. In the Mozilla Suite the workaround is
to view messages as Simple HTML or Plain Text.

-Dan Veditz

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]