| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4188343E.1030003@datenritter.de> From: plonk at datenritter.de (plonk@...enritter.de) Subject: CSS in E-Mails possible E-Mail-Validity Check for Spammers? This might be a minor problem in times of e-mail-collecting viruses and massive hijacking of SOHO-PCs. Still I wonder what you think about this: Mozilla Mail 1.7.1 (W98) and 1.7.3 (W98) (didn't check different versions) automatically load CSS-files which are linked from within an html-page sent in an e-mail, even though plug-ins and loading of images in e-mails are turned off. Of course, this only happenes, when you click the mail and when HTML-Mails are enabled. Mozilla tries to display the page and loads the CSS. I think you all know, how this enables spammers to use HTTP-requests for CSS-files to check the validity of e-mails-addresses: Instead of embedding an image with an identification code assigned to the receipients e-mail-address in the address or as a parameter to the request, they can now embed an external style sheet definition in HTML-code with the same "functionality". Analyzing the requests on the server will show the codes corresponding to valid e-mail-addresses. I used the "send page"-function of the Mozilla browser to to send a page to my own e-mail-account. When I click the e-mail, ethereal shows the HTTP-GET www.myserver.com/css/standard.css . How dangerous is this? What about possible CSS-exploits? Workaround suggestions ;-) - Cut your internet connection before reading any suspicious e-mails, you can probably live without the CSS. - turn off HTML in E-Mails (not possible in Mozilla?) p.
Powered by blists - more mailing lists