lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NHBBKOKFNKAIECDLOKDCMEPJEOAA.alerta@redsegura.com>
From: alerta at redsegura.com (Alerta Redsegura)
Subject: leaking

In the specific case we are talking about here:

1. Somebody sends a message to the list from a web-based e-mail service.
2. All messages sent from this web-based e-mail service have a banner.
3. The banner is an "img" tag with an "a href" to click on it.
4. The banner is not shown via "script" tags.
5. Neither the sender nor the web-based e-mail service have the list e-mail
addresses: the message is sent to the list address!



Now, I repeat the question:

How can the web-based email service in this particular case, gather email
addresses from the members of this list via this banner?



------

Aaron Peterson wrote:

>You don't _collect_ email addresses (they obviously already have it if they
>are sending you email with it, ;)  But you can verify email addresses with
>it.
>
>The easiest would be to put a hash or some other identifier of the users
>email address in the url for the image, then have mod_rewrite rewrite the
>url (or not, who cares... you just wanted to verify the email address was
>good) to an actual image on your system, and log the embeded info and
>compare to your known addresses.

------

Jimmy Kuijpers wrote:

>The beatch is probably collecting our addresses for spam.

------







I?igo Koch
Red Segura


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ