[Dshield] RE: HTML email and spam tracking

Rich Kittell richard at quarky.org
Mon Mar 11 01:23:50 GMT 2002


Hi Folks,

Using Outlook, if you have per-process control over TCP network access such as ZoneAlarm Pro you can easily prevent HTML e-mail msgs from activating web bugs or loading any content not contained within the message. You take advantage of the Windows Messaging program architecture, in which all POP and SMTP access is done by the "Messaging Subsystem Spooler" (MAPISP32.EXE). That is the only component that actually needs to get out on the Net, and only to ports 53, 25 and 110. MAPI clients such as Outlook send and receive e-mail by accessing the spooler's Outbox and Inbox via Windows inter-process communication (shared sections), not IP. 

The Outlook.exe client process interprets HTML using the shared browser engine, so if Outlook.exe can't get to the Net you may limit it's mischief potential without impacting it's messaging capability.

In ZA's program settings, configure Outlook.exe as you prefer to keep it from connecting to Web servers. I block all network access for it, others may prefer to block ports 80, 8080, and whatever https uses, 443? Someone hosting an ad-blocker HTTP proxy, as Kerry mentioned using Guidescope, would want to block Outlook.exe's access to the local proxy port.

Note well: HTML e-mail messages will still render all embedded content, so malicious content will remain malicious - this technique has no impact on that unless the malicious content needs to phone home. But no one will know when you read the message, and all the graphics, Flash presentations and other cruft included via URLs just won't happen.

You can still click on a hyperlink in a message, Outlook passes the URL to the default browser, so limiting Outlook's net access doesn't affect that. If there's an e-mail  message that I decide I want to see in all it's glory I Save As to an .htm file in my Temp folder and open that in the browser. To see a message that I'm suspicious of, I View Source it and scan the HTML for nasties - if okay I save to .htm from the HTML editor and open it in the browser.

Richard
............................................................................
All are lunatics, but he who can analyze his delusion is called a
philosopher. -Ambrose Bierce, writer (1842-1914)
 

> -----Original Message-----
> From: list-admin at dshield.org 
> [mailto:list-admin at dshield.org]On Behalf Of
> Kerry Nice
> Sent: Sunday, March 10, 2002 10:42 AM
> To: list at dshield.org
> Subject: Re: [Dshield] Getting Even
> 
> 
> Change your proxy settings in IE.  If you set it to something like 
> localhost:9999 before you read the things you don't want rendered, 
> nothing that isn't already on your computer is going to be displayed. 
> So, webbugs and things like that are useless.
> 
> I realized that using the Juno client.  It uses the IE 
> settings for the 
> internet and it oh so helpfully displays any html content 
> with no way to 
> disable it and since everything I get at this address is 
> spam, I didn't 
> want that.
> 
> An even easier way is I use Guidescope to block ads, so my proxy is 
> already set to localhost:8000.  I just shut down Guidescope while I'm 
> reading those things and restart it when I'm done.
> 
> Kerry.
> 
> Jeff Miller wrote:
> > I only know of a manual method.  Use ZoneAlarm to "lock" 
> the internet before
> > opening the message.  Not very elegant, but useful in times 
> of doubt.
> > 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list