[ale] Spam and HTML email

Dow Hurst dhurst at kennesaw.edu
Mon Jan 5 11:38:29 EST 2004 

Thanks Geof!  That is what I thought.  It's been awhile since I've read 
about images in email.  So, only attached images for business purposes 
should be allowed.  Those should be checked to verify they are images 
and not viruses.  No URL embedded links to images ought to be allowed 
since that is basically the same attack.  Can an embedded URL link to a 
javascript that would display the image but hold open a control 
connection or data connection?  That would imply that the email client 
had javascript enabled in Mail.
Dow


Geoffrey wrote:

> Dow Hurst wrote:
>
>> I'd like to hear the security experts chime in on this. I've 
>> encouraged users to disable images in Mail and Newsgroups in Mozilla, 
>> which is our default email app. However, what your doing prevents 
>> even Outlook users from getting whanged. I thought that images were 
>> able to contain embedded information or even javascripts now. Is this 
>> true? What are the current and coming threats from allowing embedded 
>> URLs? To me it seems that inherently it is a bad idea to allow this 
>> no matter how much people want to violate a practical security policy!
>
>
> You can certainly validate an email address by embedding a link to a 
> unique image in a message if the mail tool displays images.  Simply 
> create a 1x1 pixel white image and name it to be unique, as:
>
> esotericAT3times25.net.png
>
> And then send it to me.  If my browers opens the image, there'll be a 
> record of such in the web server that's serving the image.
>

-- 
__________________________________________________________
Dow Hurst                  Office: 770-499-3428            *
Systems Support Specialist    Fax: 770-423-6744            *
1000 Chastain Rd. Bldg. 12                                 *
Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
Kennesaw State University         Dow.Hurst at mindspring.com *
Kennesaw, GA 30144                                         *
************************************************************
This message (including any attachments) contains          *
confidential information intended for a specific individual*
and purpose, and is protected by law.  If you are not the  *
intended recipient, you should delete this message and are *
hereby notified that any disclosure, copying, distribution *
of this message, or the taking of any action based on it,  *
is strictly prohibited.                                    *
************************************************************

More information about the Ale mailing list