[Dshield] Increase in email address validation scheme

Jon R. Kibler Jon.Kibler at aset.com
Tue Mar 15 16:10:18 GMT 2005

Greetings all,

In recent days we have seen a substantial increase in an old email address validation scheme. The 
scheme works by inserting a URL into an html email, where the URL references a 1x1 transparent GIF 
file. The URL is unique to each email address -- often being "BASE-64-ENCODED-EMAIL-ADDRESS.gif" -- 
thus, ANY reference to the URL indicates that the email address is valid, and the spammer now knows 
that email sent to that address will get through spam filters and be received by a real person.

Implications? If you use Outlook/Outlook Express with "Preview" enabled and simply move your mouse 
over the email, or in any email client you open the email to delete it, you have 'phoned home' to 
indicate that your email address is valid.

Workarounds? In email clients that can read email "off-line", go off-line before viewing/deleting 
any email. For email clients that do not have an off-line mode, turn off any preview capabilities 
and don't open any email that looks suspect -- just delete all suspect emails. Better yet, simply 
configure your mail server to reject all HTML emails. Alternatively, have your mail server mangle all 
URL references and potentially active content in an email to deactivate the content/reference.

One other word of caution: If you see this type of email originate internally within an organization, 
be EXTREMELY wary. A rogue IIS web server can be set up using a similar scheme as a way to capture 
authentication credentials. It works like this: Set up a rogue IIS web server. Create a GIF file on 
the default web site for the server's IP address and set the image file to require NTLM Authentication 
for access to the image. Send an HTML email that embeds the image file (via a URL reference) to everyone 
in the organization. Start a password sniffer that captures all authentication credentials sent to the 
server. Now, whenever anyone opens their email, their login and password hashes are sent to your web 
server. You can now run an off-line password cracker against the captured credentials. (Good thing this 
scheme won't work with foreign domains!)

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list