lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: alerta at redsegura.com (Alerta Redsegura) Subject: leaking In the specific case we are talking about here: 1. Somebody sends a message to the list from a web-based e-mail service. 2. All messages sent from this web-based e-mail service have a banner. 3. The banner is an "img" tag with an "a href" to click on it. 4. The banner is not shown via "script" tags. 5. Neither the sender nor the web-based e-mail service have the list e-mail addresses: the message is sent to the list address! Now, I repeat the question: How can the web-based email service in this particular case, gather email addresses from the members of this list via this banner? ------ Aaron Peterson wrote: >You don't _collect_ email addresses (they obviously already have it if they >are sending you email with it, ;) But you can verify email addresses with >it. > >The easiest would be to put a hash or some other identifier of the users >email address in the url for the image, then have mod_rewrite rewrite the >url (or not, who cares... you just wanted to verify the email address was >good) to an actual image on your system, and log the embeded info and >compare to your known addresses. ------ Jimmy Kuijpers wrote: >The beatch is probably collecting our addresses for spam. ------ I?igo Koch Red Segura
Powered by blists - more mailing lists