Slashdot Mirror
Stopping "PattyMail" Email Bugs
An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"
Can anything be done to stop Web bugs?"
Um, how about not reading email in HTML? Even LookOut!, er, Outlook you can set to convert mail to plain text.
-- Alastair
Outlook is doing exactly what it needs to do, blocking download of images. If it lacks the specialization of countering these "bugs" that's too bad for corporate sleuths and leakers, but it does not expose the user to anything, this is not a vulnerability and the "patch" mentioned will simply give you an additional option regarding image handling. I wouldn't think the "let me forward this mail with the secret tracking device turned off" functionality was high on Microsoft's feature list when they released OLK2003.
This is a perfect opportunity for the often decried personal firewalls: Add a rule to allow the mail client to connect to the mailserver on the POP3 and SMTP ports (or IMAP port) and deny all other connections. Even if you use a client which can't be configured not to load external files, the firewall will stop the webbugs.
I don't think so. Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier:
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.