March 7th, 2008

userinfo senji
2008/03/07 14:37:00 - On spam, bbc news, and maliciousness.
ankaret posted a locked article expressing befuddlement at this BBC news article expressing befuddlement about:
You shouldn't open a spam e-mail, because as soon as you open the e-mail up, it notifies the organisation that has sent that, saying this is a valid e-mail address. They know how long you've looked at it, when you looked at it and did you go back to it.

My reply has got rather long, and I'm sure some of my friends can add to it, so I thought I'd make it a post rather than a comment.

Firstly some mail clients (of which I know Outlook is one) have a facility whereby if the incoming mail has an appropriate header they will send a "read receipt" to the sender to say that you've read the email. This feature can reportedly be turned off, and I don't know what the default setting is. I think it's unlikely that spammers are using it, and I haven't noticed anything suspicious like that in spams I'm getting.

Secondly emails which appear to have attachments may instead have a link to a website or ftp site rather than the actual content of the attachment, so if the attachment is opened (deliberately or automatically) the contents will be downloaded and appropriate log entries made which could identify which addresses worked. However this feature (which is a really cool and useful feature and people should use it more for real attachments!) is rarely used and by now most people know not to open attachments.

Thirdly if you have HTML email, or some other kind of email display which tells your email client to go get subsidiary documents, then the email can ask for documents stored on third-party websites to be included which can also produce useful log entries for determining if you've read the email. Whilst images are commonly cited as the example here it is also possible that external CSS stylesheets or javascript scripts can be downloaded in a similar manner. This kind of tracking will, depending on web caching arrangements and firewalls, provide useful information to the spammer when you first look at the email, and possibly on later occasions (although the downloaded documents may well be cached for speed or offline access meaning that they can't guarantee to find out about repeat accesses).

Fourthly, none of the above methods address the question of whether they can find out how long you've looked at the spam for, or rather none of the above methods easily permit that. However a suitably "AJAX"-like javascript script, and I have no idea if any modern email clients will handle such, could itself make repeated requests of a suitable URL which the spammer could then analyse and say "The script requested the page every minute between 12:00 and 12:10 so we can assume that that target looked at the spam for at least 10 minutes".

Anyone who views rendered HTML email (as opposed to the source code) is at risk of methods three and four unless they've disabled all downloading of included content - not just images but external javascript and CSS, and possibly other things that I haven't thought of. I don't know which email clients download such content either at all or by default. I would seriously recommend not viewing HTML email in rendered form at all. As a further note the Outlook 'preview' window will download images at least so should be counted as "viewing" in this context.
Current Mood: [mood icon] busy
Entry Tags: ankaret, geeky, reply, spam

< | 4 glosses | comment | > )

userinfo hmmm_tea
2008/03/07 15:20:33
I have to use outlook at work. When I get an email with a return receipt request, it pops up a dialog and asks me whether I want to send a receipt (I think you can get it to send them as default, but it certainly looks as if outlook's default is to ask).
reply | thread )
2008/03/07 15:34:29
thread )
userinfo senji
2008/03/07 15:36:18
What would Outlook consider "the current domain" to be in this context?
reply | parent | thread )
userinfo king_of_wrong
2008/03/07 15:45:00
Except that Outlook / Outlook Express haven't automatically downloaded the files in years - the "images not downloaded, for your protection" bar has been around longer than WinXP, IIRC.

Agreed on the technical analysis, though. It was a valid way for spammers to identify valid addresses, it was used in the wild, and it's now hopefully been plugged by everyone writing MUAs...
reply | thread )
userinfo shadowphiar
2008/03/07 17:49:17
Another technique (which requires users to download attached images from remote webservers) is to put an image somewhere small and unobtrusive, with width and height specified in the html (so the page displays before it is downloaded). The image file itself is very large, but served very slowly by a specially configured webserver, getting only a few bytes per second. That way, the connection doesn't get closed for as long as the email window is open and the client is trying to still trying to finish rendering it. The webserver can measure how far through the file each client actually got, assuming that the end point is when the window was closed.

reply | thread )

< | 4 glosses | comment | > )

On spam, bbc news, and maliciousness. - Squaring the circle... — LiveJournal

> log in
> recent entries
> fiends
> archive
> toothywiki page
> profile
> new entry
> recent comments

> go to top