InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
E-mail and Web 'moles' are getting downright dangerous for your Windows systems

IT WAS SAID a few years ago, when the World Wide Web was in its infancy, that e-mail would become the "killer application" that would make everyone want to get on the Internet. Millions of people have signed up for Internet access since then.

Yet, ironically, all this e-mail and access to the World Wide Web could end up killing our online security.

One reader reports that online businesses have figured out a way to send you a "mole" e-mail message.

This type of e-mail message automatically sends back your IP address and other information about your system to the online business -- whether or not you ever reply to the message.

The security of Windows users on the Web has been a concern of mine for years.

Back in an early 1996 column, I wrote that some Web sites were grabbing your e-mail address without your knowledge. These Web sites did this by including a command in the body of their HTML code to secretly cause an e-mail message to be sent from your e-mail program back to the business's Web site. The resulting message, of course, would contain your e-mail address. These companies could then either spam you themselves or sell your address to other spammers.

A later variation, which I described in a 1998 column, involved Web sites silently initiating an FTP download of a tiny file in the background. This FTP session, initiated by the Web site, also disclosed your e-mail address.

To their credit, the application developers of popular Web browsers had by this time started to close this security hole.

Netscape's Navigator 4.0, for example, automatically outputs the meaningless e-mail address mozilla@ when either of the above conditions occur.

The embedded "at" sign fools the inquisitive Web site into thinking that your real e-mail address has been provided, even though nothing appears after the "at" sign.

The latest scam takes the earlier techniques to a higher level. Databases of e-mail addresses are now widely available, so marketers are after bigger and more personal details.

Reader Jim Mackraz says he's received e-mail from a major online financial services company that secretly sends back his IP address and other information about his system to the business.

The e-mail message does this by including an HTML tag for a graphic file that is only 1 pixel wide by 1 pixel high (in other words, nearly invisible).

In an e-mail program that displays HTML messages, such as Microsoft Outlook Express, fetching this graphic from the company's server deposits your IP address, your browser version, and other information into that company's log file.

The fetch command contains the address where they sent you the e-mail. This matches you with the IP address you're using.

Mackraz points out that "moles" violate several principles of safe computing.

* By matching your IP address with your e-mail address, a company can then try to cross-reference your real name, address, Social Security number, credit rating, and other personal information.

A Web site operator who buys this database could then use your IP address to try to identify you, personally, when your browser visits the site. I believe Web sites shouldn't be able to access personal information about visitors.

* Many IP addresses change frequently. But a malicious Web-site operator could see the IP address where you currently are and immediately e-mail you a Trojan horse program.

This program might exploit a security weakness peculiar to your specific browser version.

* Using their log file, spammers can tell how many hours elapsed before you viewed your e-mail. This enables them to compile lists of "hot contacts" (actively used e-mail accounts).

* If you innocently forward a piece of such e-mail to a friend or family member, the inquisitive company gets your friend's IP address, etc., when his or her e-mail reader fetches the tiny graphic.

Of course, this procedure only works if you use an e-mail program that supports HTML e-mail messages. Mackraz points out, however, that it's difficult or impossible to turn off the display of HTML in many e-mail programs.

You can see a small demonstration of this technique by visiting a page on Mackraz's Web site: www.mackraz.com/trickybit/readreceipt.

To fix some of the worst holes in Microsoft's Outlook Express, see www.tiac.net/users/smiths/acctroj/oe.htm. I'll provide more information about this problem next week.




RELATED SUBJECTS

Operating Systems

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper
Introducing Primus Quick Resolve. Click to download a fact sheet.
Download the J.D. Edwards CRM white paper. Visit jdedwards.com/crmpaper
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2001 InfoWorld Media Group, Inc.