Results 1 to 8 of 8
  1. #1
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Unstoppable Return Receipts?

    I just received the following (from the Neat Net Tricks newsletter: NNT@silver.lyris.net). I'm curious if there's a way to block these 'automatic' HTML features in Outlook, either by config or thru VBA?

    Tx, --Chris Mackie
    ===============

    01. CONFIRM.TO. There is a little-known feature that hides an HTML tag which in turn triggers a relay system to post a read receipt to the sender. The tag is planted in Outlook Express 4.x and Netscape Messenger 4.0 or later (and possibly any email software that supports HTML message browsing). The message can be sent on any email software by placing "confirm.to" in an address such as:
    "anyuser@sample.com.confirm.to" (without the quotes).

    When addressed this way, an email relay system intercepts the mail, plants the tag in the message, and then delivers it to the recipient to which it is addressed. When the recipient displays the message online, the html tag triggers the relay system to send a read receipt to the sender. No software or download is required for this to work. The relay is performed by Postel Services. The first 30 such relays per month are free and no sign-up is required. Greater usage is available for less than 2 cents per receipt by setting up an account at their site, <A target="_blank" HREF=http://www.postel.co.kr>http://www.postel.co.kr</A> .

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    the concept has been around for years, it uses a "web bug" to return the reciept. The big diff now is that before you needed a server and access to the logs - now it is emailed to you with all the data you need to be traced, including a link to whois.

    It's nothing more than what you can get manually, but it's easy for anyone to get now.

    Test it with your address and read the source (plain text is converted to html).

    ZapHTML has some vb code to strip it. It's new code and works better, so if you've looked at it before, take another look.

  3. #3
    5 Star Lounger
    Join Date
    May 2001
    Location
    Washington, USA
    Posts
    750
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    Because of the theoretical but real risk of nasty script running behind HTML you might want to convert it to plain text. I wrote a COM add-in to do this when the form opens. Many of our users don't like it because they get newsletters in this format, and the conversion is ugly. (All the images and stuff show up as URLs.) But with 1,200 users, the added security is worth it.

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    WYB strips the scripts and the scr's without being ugly, although it's not necessarily needed with Outlook 2000, the preview pane is secure and opened messages can be made secure using zone settings. with Outlook 2002, opened messages are secure by default and view > internet zone is needed to run them.

    for exchange server users, there are a number of server side content filters that remove scripting as well, which is safer than using com addins client side.

    don't forgot that using antivirus on autoprotect and keeping it updated is important too.

  5. #5
    Lounger
    Join Date
    May 2001
    Location
    NJ
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    Thanks for the advice, Mary & Dog. I remember when this security hole was first announced, but the announcement I posted was the first *commercial* use of it that I had seen. It seems like a natural route for spammers to take, so I figured the time had come to Take Steps.

    Mary, you mention that O2k's security settings prevent this abuse. Could you say a little more about that? I've just reinspected my (O2k) security config pages, and I don't see an option that seems to fit. What in O2k prevents this, and is it enabled by default (my Internet zone is on High security)?

    Tx again, --Chris

  6. #6
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    security only stops the scripts olddog mentioned, not this web bug.

    the commercial aspect of it has me concerned too. not so mnuch for spammers, the good ones already knew about it and use it. but now anyone can do it. it might be possible to trace people using anoymous remailers with this feature.

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Northern, California, USA
    Posts
    1,886
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    <hr>an email relay system intercepts the mail...<hr>
    that statement makes me weary of using it, but for what it's worth, Netscape Mail did not detect that a return receipt was requested...

    I guess you learn something new every day! <img src=/S/grin.gif border=0 alt=grin width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/Kel_sig.gif>
    Moderator:<font color=448800> Pix Place, Internet Explorer</font color=448800>
    <small>www.kvisions.com

  8. #8
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Unstoppable Return Receipts?

    because it's *not* an RFC read reciept.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •