lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: plonk at datenritter.de (plonk@...enritter.de)
Subject: CSS in E-Mails possible E-Mail-Validity Check for Spammers?

This might be a minor problem in times of e-mail-collecting viruses and
massive hijacking of SOHO-PCs. Still I wonder what you think
about this:

Mozilla Mail 1.7.1 (W98) and 1.7.3 (W98) (didn't check different 
versions) automatically load CSS-files which are linked from within an 
html-page sent in an e-mail, even though plug-ins and loading of images 
in e-mails are turned off. Of course, this only happenes, when you click 
the mail and when HTML-Mails are enabled. Mozilla tries to display the 
page and loads the CSS.

I think you all know, how this enables spammers to use HTTP-requests for
CSS-files to check the validity of e-mails-addresses: Instead of
embedding an image with an identification code assigned to the
receipients e-mail-address in the address or as a parameter to the
request, they can now embed an external style sheet definition in
HTML-code with the same "functionality". Analyzing the requests on the
server will show the codes corresponding to valid e-mail-addresses.

I used the "send page"-function of the Mozilla browser to to send a page
to my own e-mail-account. When I click the e-mail, ethereal shows the
HTTP-GET www.myserver.com/css/standard.css .

How dangerous is this? What about possible CSS-exploits?


Workaround suggestions ;-)

- Cut your internet connection before reading any suspicious e-mails,
you can probably live without the CSS.
- turn off HTML in E-Mails (not possible in Mozilla?)

p.


Powered by blists - more mailing lists