[Dshield] Increase in email address validation scheme
Jon R. Kibler
Jon.Kibler at aset.com
Tue Mar 15 16:10:18 GMT 2005
In recent days we have seen a substantial increase in an old email address validation scheme. The
scheme works by inserting a URL into an html email, where the URL references a 1x1 transparent GIF
file. The URL is unique to each email address -- often being "BASE-64-ENCODED-EMAIL-ADDRESS.gif" --
thus, ANY reference to the URL indicates that the email address is valid, and the spammer now knows
that email sent to that address will get through spam filters and be received by a real person.
Implications? If you use Outlook/Outlook Express with "Preview" enabled and simply move your mouse
over the email, or in any email client you open the email to delete it, you have 'phoned home' to
indicate that your email address is valid.
Workarounds? In email clients that can read email "off-line", go off-line before viewing/deleting
any email. For email clients that do not have an off-line mode, turn off any preview capabilities
and don't open any email that looks suspect -- just delete all suspect emails. Better yet, simply
configure your mail server to reject all HTML emails. Alternatively, have your mail server mangle all
URL references and potentially active content in an email to deactivate the content/reference.
One other word of caution: If you see this type of email originate internally within an organization,
be EXTREMELY wary. A rogue IIS web server can be set up using a similar scheme as a way to capture
authentication credentials. It works like this: Set up a rogue IIS web server. Create a GIF file on
the default web site for the server's IP address and set the image file to require NTLM Authentication
for access to the image. Send an HTML email that embeds the image file (via a URL reference) to everyone
in the organization. Start a password sniffer that captures all authentication credentials sent to the
server. Now, whenever anyone opens their email, their login and password hashes are sent to your web
server. You can now run an off-line password cracker against the captured credentials. (Good thing this
scheme won't work with foreign domains!)
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list