[Dshield] Re: A few followup points
iain at caradoc.org
Wed Mar 20 20:33:56 GMT 2002
* Susan <pobox2 at pinn.net> [020320 13:22]:
> However the problem still remains, what's coming in via email that
> causes the machine to try to connect out to unknown addresses? And that
> still leaves me with an unanswered question about what's being shipped
> out... passwords? Mac addresses? home net ip's? available
> software/ports/useraccounts? Sure they may be interested in the mail but
> if they can manage a connection at all then they can manage the rest I
> am real sure having just a bit of info to start with. One little
> unnoticed shellscript download can open a major hole.
Any e-mail application that attempts to interpret HTML and display images can be used to track readers via a "web bug".
Essentially, when you open and view the e-mail, it refers to an image stored on a remote webserver, and your e-mail application loads that image for you. So, if the sender has a whole directory or five filled with individually named unique files, they can tell who's actually opened and read the e-mail in some cases by checking the webserver logs.
I suspect that the port 80 outbound traffic that you're seeing is embedded information sourced from a remote webserver. Can you sniff the traffic and see exactly what's happening?
More information about the list