[Dshield] Re: A few followup points

John Groseclose iain at caradoc.org
Wed Mar 20 20:33:56 GMT 2002

* Susan <pobox2 at pinn.net> [020320 13:22]:

> However the problem still remains, what's coming in via email that 
> causes the machine to try to connect out to unknown addresses? And that 
> still leaves me with an unanswered question about what's being shipped 
> out... passwords? Mac addresses? home net ip's? available 
> software/ports/useraccounts? Sure they may be interested in the mail but 
> if they can manage a connection at all then they can manage the rest I 
> am real sure having just a bit of info to start with. One little 
> unnoticed shellscript download can open a major hole.

Any e-mail application that attempts to interpret HTML and display images can be used to track readers via a "web bug".

Essentially, when you open and view the e-mail, it refers to an image stored on a remote webserver, and your e-mail application loads that image for you. So, if the sender has a whole directory or five filled with individually named unique files, they can tell who's actually opened and read the e-mail in some cases by checking the webserver logs.

I suspect that the port 80 outbound traffic that you're seeing is embedded information sourced from a remote webserver. Can you sniff the traffic and see exactly what's happening?

More information about the list mailing list