Slashdot Mirror
Fox Says Web Bugs = Virus Risk
Bonker writes: "Fox News is printing an expose on 'Web Bugs' used in concerto with HTML-mail spam. Along with outlining the dangers and the methods that Web bugs use to gather information, CERT's Jeff Havrilla is quoted as saying that these are pretty much ripe for illegally malicious activities, such as virus propagation. Harvilla says that Web Bugs would allow malicious virus creators to 'target' systems. Scary, wot?" *sigh* I can't even begin to describe how much the story irritates me - yes, there's truth to it. But it's more then just simple Web bugs - it's any sort of URL, given that you could create a unique URL for each spam. Take out the scare portion of the article, and just use the bottom line - don't click on spam URLs.
Program the HTML renderer in a unix mail program to be able to decide (at the whim of the user) whether or not to download foreign content.
The mail program can download and upload mail as it pleases, but the renderer itself can be told not to. That would zap web bugs.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,
--- Grow a pair, liberals... stop letting the Republicans bully you!
How true. Especially if you're on mailing lists and getting e-mails from people who you might not know anyway, it gets real difficult to differentiate some of the spam from actual legitimate e-mail. (Of course, not including a subject line doesn't help any...)
Some of it is really easy to tell. For instance, Amy and all of her friend who want to show me how they're working their way through college... no imagination in the subject lines. But when I get e-mails that fall in that gray area, over 50% of the time, I'm deleting spam e-mail, thanks to the wonders of AOL who seems to have sold my address to every jackass with a porn site.
And then there's the fact that not all spam URLs are easily identifiable. Mind you, I generally do not click on a URL in an e-mail unless it comes from someone I know and I can actually verify that they sent it. But with the numerous ways to re-direct URLs, what looks innocuous isn't always the case.
Of course, the harsh solution is to first kill all the spammers. Harsh to spammers at least.
Kierthos
Mr. Hu is not a ninja.
HTML-savvy email clients should have a configuration option that allows the user to disable fetching any off-site data - e.g., any IMG tags that are not embedded in the message, just as we can disable cookies that are sent to a different host in our web client.
I adblock all animated gifs.
Blessed be the prime numbered slashdotters
They are media sluts, willing to do anything for people to watch them almost to the point of being a soft-core porn network at times. Here in northern Va they're known for always opening with a murder or other scary story, and also for commercials like "Billy Bass boasts record sales! But what does it teach our children? Find out the horrible reality tonight on Fox News at six!"
Don't take them seriously, or any popular media seriously for that matter.
..but this has given me a nasty (read: worrying) idea:
u nluckyoutlookuser@microsoft.com/1x1.gif" ? Before their account was shut down, they could end up with quite a nice little list of email addresses to send spam to...
What if a combination macro-virus-writer/spammer coded up another new exciting outlook-exploiting virus, that contained a web-bug that had a URL like "http://www.nastycheaphosting.com/~luser/bug.asp/
--
Pretend that something especially witty is here. Thanks.
Well, as far as privacy goes, there you don't have to "fall for" web bugs. If you are set to view HTML mail with graphics, and you display the message, they've got you. That's because it goes to the server to get that GIF that's in the HTML, giving a unique URL, and the server says "Ahh, I see from the URL that joeblow@anycomp.com got the email!" and issues a 1x1 pixel transparent gif.
The only way to not "fall for it" is to not display HTML mail. Either that or the reader could not display outside embedded stuff.
All Web pages collect this type of information. What makes this so special -- just because it is through email?
Give me a break.
--
Whatever you do, DON'T CLICK HERE!
Didn't there used to be a link on the windoze desktop with a "Click here and see a Text-Only Version of the Desktop?"
More to the point, tho...
All of you act like you're not part of the ubermind that knows everything about everyone already (courtesy of the non-local cosmic consciousness junction). The marketers are a part of you people. You have no need to hide from yourselves, do you? Let yourself slip into The Profile.
How about an email with a flash file attacment.
while its running, it sends a message to your server telling you the email address of the person stupid enough to launch the attachment.
The next wave of emaiil you send out only to those addresses, and attach the virus instead
OR, instead just sell your database ov stupid users
certainly very evil possibilites exist here
"Me and my girl named bimbo . . . limbo . . . spam" - Captain Beefheart.
That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser.
Its actually worse then that. Spammers use the resources of others (bandwidth, storage space) at no cost to themselves. They actually force the cost of their "advertising" on the users who never requested this junk in the first place. This is the exact opposite of the model used in printed media today, and is what makes spam so undesirable for a consumer and so appealing for a marketer.
--
Too lazy to come up with a clever sig.
Are you an idiot? That's a page counter, not a web bug. The difference is that you choose to access slashdot, whereas in the case of a web bug, you are secretly forced to visit someone's site through an unsolicited e-mail.
Your rhetoric seems a bit inflammatory - the worst case scenario here is that a spammer becomes aware that you have opened their e-mail (assuming you are online when you read it). What you describe as automatically executing code from a remote, untrusted source sounds scary, but it's just javascript! With the exception of the scriptlet/eyedog bug in IE5, javascript is pretty much harmless. So don't worry about it - report the spammer to Spam Cop, create a filter for your e-mail client or just delete, delete, delete.
i.e. any form of "enchanced" text for email should have been designed to be easily readable on something which didn't render it.
Thus, the WINMAIL.DAT. Oh yeah, we don't like that either....
In reality, pretty much every Text/HTML MIME part comes with an accompanying Text/Plain part, which is the two sizes fits all solution. Problem is, there is no way to tell Netscape/Outlook/etc to display the text part instead of the HTML part.
Using content-based markup is a great idea, but someone would need to create have a standard list of CSS classes so that different clients can interoperate. (Things like '.message', '.reply', '.forward', 'quote', etc.) And then, you'd probably also need standard HTML presentation tags for back-compatibility.
Perdida writes: >Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam. I don't see how you could be more wrong. Email spam, by definition, is an ad in a medium that isn't supported by ad revenue. The spam ad uses resources that the spammer did not pay for - my CPU cycles, my disk space, my network connection time. In effect, email is free to spammer. Broadcast radio is free to me, but not to the advertiser. The advertisers pay for me. That's a dramatic difference, and one, I think, that you're deliberately ignoring, because you go on to write: > The freedom of advertising IS the freedom of the press. Again, you couldn't be more wrong. Advertising has never, ever been a form of protected speech. Why do you think we have such things as truth in advertising laws? I doubt that anyone has proposed a rational argument for considering advertising as free speech. > Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising. Remember that spam is the tool of the small-time crook, the theif- he who doesn't want to pay his own way on the internet, but wants to do the most obtrusive form of advertising.
Advertisers brought us magazines, daily newspapers, radio theater
That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser. Magazine advertisers pay magazine publishers who give us magazines, television advertisers pay television companies who give us television, spammers pay nobody so we get nothing. Spam isn't going to bring us anything, because spammers don't pay anyone.
The only really good claim that they come back to in that article, and a valid one, is that spammers can now discern whether or not you opened the e-mail.
This is even better than asking you to reply with a "remove," in order to get you on even more lists. This way, you can become a premium beneficiary of their spam enterprise without any direct involvement.
Good job Congress. At least telemarketers can be stopped.
While I agree with many of the other posters concerning the age of "web bugs," not following spam URLs and the like, I can't help but hope that this sort of thing will add impetus to making spammers get what coming to them.
Rather than saying, "Spam is like getting postage due mail that can't be refused," perhaps now we can point to some, hopefully many, instances od spam and say, "This spam is extremely likely to be a virus carrier that could wipe out millions of Windows maghines worldwide simply by being received." Maybe THAT could jumpstart some law-making and prosecution.
Although, as we all know, in the US, while lawmaking is easy, actually following through on the part of the government is rare.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
A couple days ago I started filtering all HTML email straight to the trash. I did this for a few reasons. The main reason is that 90% of "real" email is non-html (I told friends that they'd go in the trash and I wouldn't even know they sent it if they didn't fix their settings if on HTML), and 95%+ of hard-to-recognise spam (email "newsletters" from companies you've never used, etc) is html. What goes with this is that HTML email can have "web bugs" and other tracking in them too... You could be tracked just by reading an email (looking around before doing this I found this rather common). This has been mentioned before on /. and also other places, but people seem to keep forgetting. The filter has been very effective (all unwanted email over the few days its been), and only one bad filter (from someone who didn't know about it).
2) Automatically executing code from a remote, untrusted source is bad, kids. I haven't seen a web bug that actually executes remote code on the local client machine unless you consider JavaScript code to be unsafe. Sure JavaScript can be unsafe if your browser's intepreter has an implementation bug or you consider certain information like screen resolution, local timezone and other browser options to be private, but we are not talking virus risk here.
The Web Bug FAQ for more information. In particular note that it does list some non-evil uses for web bugs:
Another use of Web bugs is to provide an independent accounting of how many people have visited a particular Web site.
Web bugs are also used to gather statistics about Web browser usage at different places on the Internet.
E.g., If you want your site to run at the fastest posible speed, you might host static HTML with a globaly traffic managed web caching or hosting company like Akamai or Speedera But you still would like to get logs directly for anaylzing traffic to your site and comparing with the web hosting company's bills. So you place a web bug on your pages directly back to your origin site (or third party like LiveStat). The user experence is still fast if done right, because the slow logging to your server occurs after the page is rendered.
The Privacy Foundation discovered this type of abusive capabilities in MS Word documents back in August of 2000. The potential uses for this exploit ranged from tracking the distribution of sensitive documents to malicious things similar to the ones described in the WebBug article. The advisory also mentioned the ability to perform the same functions in Web pages, Excel spreadsheets and Powerpoint 2000 presentations.
This is not a Fugazi
Take for instance the company itraceyou.com. This company provides a free service for users to be able to receive confirmation emails when their email has been opened. I think that would come in useful for anyone of us. Isn't that a ligitimate use for the web bug?
What troubles me more is that they are attempting to patent this (what seems to me), kind of obvious method of receiving a notification when an email is opened.
Visit the company info page for information on the pending patent. Should this actually be granted?
A virus that used the Web bug technique could essentially conduct a poll of potential victims to determine whether or not they would be good targets.
Woop-de-doo. It's not expensive to sneeze viruses all over the world, so why bother targeting? And the majority of the world - present company excluded - uses Win32 and IE - or IE-based AOL. You don't get a hell of a lot more useful info out of your basic HTTP headers than that.
The profiling is disgusting. The increased threat of virus is negligible.
If anything, the thing that opening the email does is advertise "I'm an idiot. Here's my IP address. Crack my system. (Hint: I'm the kind of person whose password is the same as my username)."
Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers.
It's a case of stupidity compounded by stupidity. HTML was never a good idea for email in the first place. (i.e. any form of "enchanced" text for email should have been designed to be easily readable on something which didn't render it. The output of email programs which generate HTML appears to have been specifically designed to be cryptic to anything other than a web browesr.) This is compounded by simply feeding it to a web browser engine. Without at minimum removing external links and JAVA/JAVAscript/Active X/etc.
Hmm... embedded HTML/images security risks, endless Java security alerts, 1x1 invisible tracking GIFs, the recent Flash plug-in security alert, all the problems with javascript...
God, I'm glad I use lynx and pine. It's a shame though, when a site is inaccessible for those without javascrapt... what ever happened to "Click Here to see a Text-Only Version of this Page" ?
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
I'm way too late, but the answer is simple: Set the log to record the User-Agent: header. Presto, a list of all users who read the e-mail, what e-mail client they used, and for most clients, the OS they are running.
This information can be invaluable: /var/log/httpd/access_log
grep IE
Presto, a nice list of everyone who accessed using some version of IE (I don't know what Outlook sets the User-Agent to). If you set it up to have a query string with the e-mail address recorded (ie, http://www.example.com/bug.gif?user@example.net - generated through your spam-script) your log suddenly includes the e-mail address too. This is how much information you can record and why this can be a threat - especially coupled with the fact that the most insecure clients download the images without user-option.
You are in a maze of twisty little relative jumps, all alike.
My personal favorite is when I received spam from a company that was trying to sell me intrusion detection software.
There's just something ironic about that.
How to rationalize theft.
If you want something that is free and filters webbugs, among other things, from your browser, check out webwasher.
Moving at the speed of government.
What are you talking about? All the author has decided is the linearization of text with HTML. You can decide fully how it will be represented with CSS. And anyways, you're supposed to be writing XHTML, which is an XML application anyways, so your point is moot; I could use XSL to reorganize the linearization of data how I please
Actually recent versions of PINE(greater than > 4.2 maybe?) do render HTML. Of course it doesn't autoload images or anything, but HTML isn't really the problem. Its fuckwitted software that likes to automagically load everything up at once under the guise of "of course the user will want to load this image". And the truth is, your average lamebrain windows user, even if confronted by the option of turning off images from remote sites, they would say no because they don't know a better and would think it meant that they would no longer be able to receive emails with porno pics of the "woman" he has be having cybersex with in some java based chat room(never mind the fact that this "woman" is really a 500pound biker guy who has a thing for giving enemas to people).
Anyway, the marketeers like to be able to track ROI and whatnot. So a little bit back, we started sending multipart MIME messages, and including the company logo in the HTML version. Result: the ability to tell them "Okay, in the first 7 days after the mailing, N people opened the message with HTML-capable mailreaders while online." Obviously, the actual number of people reading it is greater, but these days, probably not by much.
Around that same time, I modified the Perl stuff that sends the mailings to stick a query string on those images, i.e. "/hdr1.gif?7kdtP-SeV" or whatever, populating it with an encoded version of a string containing stuff like the date it was sent, the filename of the message that was sent, and the registered userid (on our site) the address corresponded to.
On the back end, more Perl looks at various and sundry logs, and goes through the process of "Hey! CMDRTACO read the e-mail. Hmmm. CMDRTACO clicked through to the site from the e-mail. Hmmm. CMDRTACO logged into the site. Hey cool, CMDRTACO bought something, cha-ching!" and so on.
I'm actually doing some finessing today to automate things a bit. Perl hacking, fun fun fun.
--
I dunno if this will be any use to anyone, but here goes...
Those web-bugs are so small that you can't easily right-click and block image from server. I started to put a page together a while ago where I take the webbug, as I find it, put it on a page where i've expanded height and width to 50x50, in order to be able to right-click and block em.
I was thinking about writing a cgi that would allow people to enter an URL and offending page/company name and add to the page, but I've not had time to do it.
If you want to see the page, click here. If anyone wants to help throw together the cgi for such a page, or even gets one going, contact me.
Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.
Why Hemos went on a rant, I don't know. Yes, the article doesn't mention URLs in spam, but that's because they're less insidious than web bugs. Presumably, if you click a spam link, you get what you deserve.
Hemos is right, dont click spam links. You should also keep from giving out your real email address. These are all common sense things. there are alot of classes offered about how to use the internet, I think that spam avoidance should be part of them.
Opportunities multiply as they are seized. --Sun-Tzu
Load slashdot and check your source. Scroll down and look for this:
/ article.pl,");
t icle.pl,");
/ article.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>
t icle.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>
<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0>");
document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/ar
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
//-->
</SCRIPT>
<NOSCRIPT>
<IMG SRC="http://images2.slashdot.org/Slashdot/pc.gif?
<IMG SRC="http://images.slashdot.org/pagecount.gif?/ar
The latter is clearly a page-counting mechanism (or so it appears), but wouldn't the non-hypocritical thing to do still be to remove one's own webbugs before posting yet another exposé on the dangers of others' webbugs? At least for appearances' sake?
Read the rest of this comment...
Consider for a moment that, when perusing most media-- be it a magazine or your snail mail- you are accustomed to advertising in many forms. As a matter of fact, many new media are created for the very purpose of bringing ads to your eyes and ears.
They created 3-d vision and smellovision in the movies because movie theaters, at that time, were major purveyors of advertising. Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam.
Why do we get angry when an ingenious marketer slips in an intrusive, but fundamentally harmless, web-bug? If the spam were a virus and crashed a system or deleted data, it would be counterproductive to the spammer's purpose, marketing.
The freedom of advertising IS the freedom of the press. Advertisers brought us magazines, daily newspapers, radio theater, and many other aspects of our culture that have become highbrow, in some way BEYOND advertising. Give spammers respect- and a bit of freedom-- don't threaten them with punishing lawsuits and jail time! Otherwise, very few people without previously existing monolithic web presences will choose to do business on the Web. Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising.
Goat sex free since 2001
It seems only fair to me ;)
--Anticipation of a New Lover's Arrival, The
The trick is that if somebody views the spam, as a convenience the browser loads the images specified in the tags, and most web bugs are 1x1 pixel images that the user doesn't notice, but still generate a get request, often with a cookie sent along with it. The average user is not oging to find browsing/etc... with "auto load images" turned off a tolerable functional browsing experience.
my solution is not to run an HTML-aware mail program. I delete anything that is not text/plain unless i'm _very_ sure of the source...
---
Play Six Pack Man. I
You say that HTML-snabled mail clients automatically download the web bug in question.
Eudora for the Mac (but not for PC) has an option to not download remote HTML graphics. All HTML will be displayed, and all images sent with the message are displayed, but no remote server is accessed.
This is A Very Good Thing. (tm)
There are other possibilities out there.
- (c) 2018 Hank Zimmerman
(No matter how good your security is, you can't stop users from hurting themselves by running untrusted code. Scare tactics stories "virus threats" only make the problem worse.)
MSK
This may allow a creator of one of these new breed script virii to better target mailboxes, but the weak link remains the same: the user who opens the attachment. In the past, virii relied on technical holes for their propagation; now it's simply the gullibility of a large number of users. Besides, the victims of these scripts are not targeted by the author except in the very beginning of an outbreak; rather, they (voluntarily or not) send the message along to each other. So the better-aimed shotgun that "web bugs" might create would really make little or no difference in the spread of a modern email worm.
By the way, did anyone else notice Fox News is printing an expose on 'Web Bugs'? I suppose that's print in the "printf" sense, not the "ink-on-paper" sense ;)
Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.
While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.
Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.
Cheers,
Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner.
Normally, the "tag" (informative|offtopic|flamebait|etc) is set to whatever the last moderator modded the comment. However, Overrated and Underrated do not change the tag. What may have happened in this case is that Klerck posted his crap at 1, somebody gave it +1, Informative, then three different moderators gave it Overrated.
Why overrated and not Flamebait, Troll, or Offtopic? Because the moderators are all cowards, and we don't want to lose karma in meta-moderation to some rogue meta-moderator. Moderation, meta-moderation, etc, only work if the majority of users are not trolls. Unfortunately, they are mostly trolls on Slashdot...
Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.
:-)
Easy, you just check to see if they're running Windows.
(That was a requirement for the virus, so this isn't totally flamebait...)
They should moderate you way, way up!
The lame brained windows users who are warned and still allow everything to autoload, condemn themselves. However, I like the idea of being able to protect myself. I don't care what the spammers do with the sheep. There'll always be sheep.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,
--- Grow a pair, liberals... stop letting the Republicans bully you!
Won.Net IMG SRC="http://adforce.imgis.com/?adserv|39|163366|1| 149|ADFORCE" name="NL-NGA.June6" BORDER=0 HEIGHT=2 WIDTH=2 NATURALSIZEFLAG=0 ALIGN=BOTTOM ALT="Click Here"
r He ader&ID=fPb8itB1P3Hupellk.vjI])
0 .-3.http%3A%2F%2Fus.yimg.com%2Fi%2Fmy%2Ftop7.gif" WIDTH="1" HEIGHT="1"
U H"
u r0SYfw07xC"
t id=2055603275&ecid=0" alt=" "
t id=2104304093&ecid=1297" alt=" "
l @address.com|||977185002&&>ld_1_001208_networkso lutions_DETECT"
Among many other embedded images at system generated URLs (but all have a similar ID string
[http://tako.sierra.com/wrclick?v&CoreNewslette
HomeGain.com img src="http://click.homegain.com/kc1231313040.1001.
Barnes & Noble img src="http://www.ensuredmail.com/mbna/ctr.asp?e=YE
Buy.Com IMG SRC="http://enews.buy.com/cgi-bin5/flosensing?y=C
WestWood Studios img width="1" height="1" src="http://www.m0.net/m/logopen02.asp?vid=676&ca
PriceLine.Com img width="1" height="1" src="http://www.m0.net/m/logopen02.asp?vid=644&ca
Network Solutions (even had my email address embedded in the image URL)
img src="http://graphics.e-dialog.com/graphics/myemai
They seem to embed them between the closing BODY tag and the closing HTML tag in most cases.
Kind of scary. I think I'm going to stop using Outlook... *shiver*
(not to say *all* of these are web bugs, but they were suspicious)
Yes, but the spammers get a distinct advantage from the unique url, if you click it and or load an invisible image they can track it to your actual email address. If it is not unique, they may be able to get ip address, os, browser info, etc. but can't link it to your email address as there are thousands of people hitting that non-unique url. With a unique url tied in their databases to your email, they know for sure if you viewed the email and can also link the other info gathered (ip, browser, os) to you email address. Kinda scary.
that these webbug things are nothing compared to what is coming.
Spammers will pay big money to backbone providers and then they will be given the right to spam as they please. Of course blasting the backbone provider would be like pounding on your spinal cord out of spite.
I also predict there will be an explosion of free ISPs. If the figures concerning profits from data profiling aren't as exaggerated as I think they are, the free ISPs will make good money from feeding customers to these spammers. They may very well push a few normal dialups out. Mix in a TOS which says you WILL not circumvent data profiling activity in the free ISP connect software, add a dash of DMCA, and you are no longer watching your monitor, it is watching you.
The more likely scenario is the big fish ISPs will mutate into a gruesome hybrid of highly reduced priced unlimited service plans, with the TOS requiring you submit unconditionally to the data profiling behavior in their software.
Need I suggest what horrors await if the free DSL thing takes off? Simply put the data profiling will be even faster and more efficient and more transparent.
Like I said, the web bug thing is nothing. They can do far worse to you with a lower priced service with a diabolical TOS and proprietary DMCA-protected ISP connect protocol software (pppoe-freeDSL-8.0.dll, anyone?).
Only the small time spammers will be still using web bugs after that.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,
--- Grow a pair, liberals... stop letting the Republicans bully you!
Web bugs are real and easily spread for some purposes. I received a chain email that had a funny story about winter. I am forced to use MS outlook, and even in the preview window, the email appeared with all it's cute anitmated gifs. All the gifs were off a remote server. So whoever runs that server has a hit log of everyone this chain letter went to.
Talk about power. Instead of a virus, it's a way to find out the architecture of people's networks. Sure, lots will be blocked by firewalls, but lots won't. There's also the potential to load large images (500k) off a taget website. If the email spreads fast enough, it will be a distributed DOS.
I can't even begin to describe how much the [this] story irritates me - yes, there's truth to it. But it's more then [than] just simple Hemos bugs - it's any sort of spelling or grammatical error. Take out the scare portion of the article, and just use the bottom line -- a broken metaphor is worth two in the bushes. Now where *is* that darned bottom line, anyway?
...you could create a unique URL for each spam.
well you could, but that would defeat the main benefit spammers utilise, which is the ability to send a single body with multiple (ie. hundreds if not millions) of RCPT TO addresses.
the current methodology makes the relay do all the work by making it contact all the smtp hosts of the people being spammed. by adding a unique web bug (and hence a unique body) for each receiver you would create an immense amount of load on the spammer's own system and network connection.
just my 2 cents
marty
"I can't buy want I want because it's free. Can't be what they want because I'm me." -Corduroy, Pearl Jam
I read the author's name as "Jeff Hantavirus." I almost passed over the story, when the name startled me and I had to go back and read more carefully.
I'm sure this amuses only me. Oh, well.
--
--
Don't like it? Respond with words, not karma.
(the KDE browser) is that it often shows web bugs (like the one at the top of every slashdot page ...)
the worst ones are the pages that have a bit of html in them like this:- email.jpg">
<img src="http://we.spam.you/php-script/fean-reads-his
so all they have is a PHP script sitting there, recording who reads the emails.... its impossible to stop on web based email systems....
Frankly, the smantic + markup concept gets a lot of lip service from all corners of the world, but in practice I have yet to see a system that is both "correct" and actually used in the correct way.
HTML was designed from day 1 just as you described, and what do we see? People spending days and days writing convoluted code to get the formatting "just right."[1] This is especially true when you are presenting something with no content[2]. Too many people are control freaks as well, there is no way they are ever going to let someone else see the presentation when they could have just any font, point size, or color selected (just to name a few). These people shutter at the idea of a webbrowser without the FONT tag, or those people who click "override document fonts". There is no way they are going to let their formatting be dictated by the reader!
Maybe it's a good thing to make these people let go of their control issues, but in reality anything that tries is either not going to catch on, or is going to be mutilated into something else (HTML).
[1] At least on Windows with IE
[2] 75% of all web pages, and 100% of all flash presentations
I read the internet for the articles.
So by the same token, people should be allowed to drive automobiles even if they don't know how to drive them? Or they should be allowed to use the telephone if they don't know basic telephone safety(Like don't give your address etc etc out to
strangers and all the other things you learned as a kid).
My point is that computers attached to the internet are not just "toys" but they are serious pieces of electronic equipment. Equipment that most people trust their finanical records and other aspects of their personal life to. At least software should go with conservative defaults for the uneducated. The people who do know what they are doing know how to change the defaults.
It would be fairly trival to have a bug of worm that gets into a system via a bug in outlook(or more often than not an education problem, like files named pr0n.jpg.exe etc..) and then phones home with all of the goodies to some random webserver in siberia. Oh and it installed a nice backdoor or something.
People just need to be educated about the risks, like with the box tossing up a message about loading remote images saying that "Loading images from remote servers that are received via email can be considered a privacy threat, if you know that you will not have this problem, click ok, otherwise the safe choice is no".
I'm sick of people trying to candy coat things and saying that its completely safe to have your computer on the internet, because we all damn well know its is a risk.
because fox is shutting down some of its web sites... fuckedcompany.com reported fox.com and foxsports.com are going down...
--
Peace,
Lord Omlette
ICQ# 77863057
[o]_O
unix based email software (XFmail, Pine, Balsa), none of which yet render HTML or activeX & java/script.
This'll work for now.
========================
63,000 bugs in the code, 63,000 bugs,
ya get 1 whacked with a service pack,
--- Grow a pair, liberals... stop letting the Republicans bully you!
So next time mike28345@msn.com sends me an email about 'hot wet sex' i cant click on the link??? but i trusted mike28345 so much before this.
--aiee