Forgot your password?
typodupeerror
The Internet

Fox Says Web Bugs = Virus Risk 80

Posted by Hemos
from the stupid-journalism dept.
Bonker writes: "Fox News is printing an expose on 'Web Bugs' used in concerto with HTML-mail spam. Along with outlining the dangers and the methods that Web bugs use to gather information, CERT's Jeff Havrilla is quoted as saying that these are pretty much ripe for illegally malicious activities, such as virus propagation. Harvilla says that Web Bugs would allow malicious virus creators to 'target' systems. Scary, wot?" *sigh* I can't even begin to describe how much the story irritates me - yes, there's truth to it. But it's more then just simple Web bugs - it's any sort of URL, given that you could create a unique URL for each spam. Take out the scare portion of the article, and just use the bottom line - don't click on spam URLs.
This discussion has been archived. No new comments can be posted.

Fox Says Web Bugs == Virus Risk

Comments Filter:
  • Program the HTML renderer in a unix mail program to be able to decide (at the whim of the user) whether or not to download foreign content.

    The mail program can download and upload mail as it pleases, but the renderer itself can be told not to. That would zap web bugs.
    ========================
    63,000 bugs in the code, 63,000 bugs,
    ya get 1 whacked with a service pack,
  • How true. Especially if you're on mailing lists and getting e-mails from people who you might not know anyway, it gets real difficult to differentiate some of the spam from actual legitimate e-mail. (Of course, not including a subject line doesn't help any...)

    Some of it is really easy to tell. For instance, Amy and all of her friend who want to show me how they're working their way through college... no imagination in the subject lines. But when I get e-mails that fall in that gray area, over 50% of the time, I'm deleting spam e-mail, thanks to the wonders of AOL who seems to have sold my address to every jackass with a porn site.

    And then there's the fact that not all spam URLs are easily identifiable. Mind you, I generally do not click on a URL in an e-mail unless it comes from someone I know and I can actually verify that they sent it. But with the numerous ways to re-direct URLs, what looks innocuous isn't always the case.

    Of course, the harsh solution is to first kill all the spammers. Harsh to spammers at least.

    Kierthos
  • While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

    HTML-savvy email clients should have a configuration option that allows the user to disable fetching any off-site data - e.g., any IMG tags that are not embedded in the message, just as we can disable cookies that are sent to a different host in our web client.

  • Okay, why is everyone up in arms about this? First, this story originated from - say it with me - the popular media. Of course they're gonna mess it up, thats what they've been doing the entire time. Second, this is FOX News we're talking about here. The same network that brought you "Who Wants to Marry a Multimillionaire" and soon, "Temptation Island."

    They are media sluts, willing to do anything for people to watch them almost to the point of being a soft-core porn network at times. Here in northern Va they're known for always opening with a murder or other scary story, and also for commercials like "Billy Bass boasts record sales! But what does it teach our children? Find out the horrible reality tonight on Fox News at six!"

    Don't take them seriously, or any popular media seriously for that matter.

  • ..but this has given me a nasty (read: worrying) idea:

    What if a combination macro-virus-writer/spammer coded up another new exciting outlook-exploiting virus, that contained a web-bug that had a URL like "http://www.nastycheaphosting.com/~luser/bug.asp/u nluckyoutlookuser@microsoft.com/1x1.gif" ? Before their account was shut down, they could end up with quite a nice little list of email addresses to send spam to...


    --
  • by jridley (9305)
    Well, as far as privacy goes, there you don't have to "fall for" web bugs. If you are set to view HTML mail with graphics, and you display the message, they've got you. That's because it goes to the server to get that GIF that's in the HTML, giving a unique URL, and the server says "Ahh, I see from the URL that joeblow@anycomp.com got the email!" and issues a 1x1 pixel transparent gif.
    The only way to not "fall for it" is to not display HTML mail. Either that or the reader could not display outside embedded stuff.
  • All Web pages collect this type of information. What makes this so special -- just because it is through email?

    Give me a break.
    --
  • Didn't there used to be a link on the windoze desktop with a "Click here and see a Text-Only Version of the Desktop?"

    More to the point, tho...

    All of you act like you're not part of the ubermind that knows everything about everyone already (courtesy of the non-local cosmic consciousness junction). The marketers are a part of you people. You have no need to hide from yourselves, do you? Let yourself slip into The Profile.
  • Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

    How about an email with a flash file attacment.

    while its running, it sends a message to your server telling you the email address of the person stupid enough to launch the attachment.

    The next wave of emaiil you send out only to those addresses, and attach the virus instead

    OR, instead just sell your database ov stupid users

    certainly very evil possibilites exist here

  • That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser.

    Its actually worse then that. Spammers use the resources of others (bandwidth, storage space) at no cost to themselves. They actually force the cost of their "advertising" on the users who never requested this junk in the first place. This is the exact opposite of the model used in printed media today, and is what makes spam so undesirable for a consumer and so appealing for a marketer.


    --
  • Are you an idiot? That's a page counter, not a web bug. The difference is that you choose to access slashdot, whereas in the case of a web bug, you are secretly forced to visit someone's site through an unsolicited e-mail.
  • Your rhetoric seems a bit inflammatory - the worst case scenario here is that a spammer becomes aware that you have opened their e-mail (assuming you are online when you read it). What you describe as automatically executing code from a remote, untrusted source sounds scary, but it's just javascript! With the exception of the scriptlet/eyedog [microsoft.com] bug in IE5, javascript is pretty much harmless. So don't worry about it - report the spammer to Spam Cop [spamcop.org], create a filter for your e-mail client or just delete, delete, delete.
  • i.e. any form of "enchanced" text for email should have been designed to be easily readable on something which didn't render it.

    Thus, the WINMAIL.DAT. Oh yeah, we don't like that either....

    In reality, pretty much every Text/HTML MIME part comes with an accompanying Text/Plain part, which is the two sizes fits all solution. Problem is, there is no way to tell Netscape/Outlook/etc to display the text part instead of the HTML part.
  • Using content-based markup is a great idea, but someone would need to create have a standard list of CSS classes so that different clients can interoperate. (Things like '.message', '.reply', '.forward', 'quote', etc.) And then, you'd probably also need standard HTML presentation tags for back-compatibility.
  • Perdida writes: >Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam. I don't see how you could be more wrong. Email spam, by definition, is an ad in a medium that isn't supported by ad revenue. The spam ad uses resources that the spammer did not pay for - my CPU cycles, my disk space, my network connection time. In effect, email is free to spammer. Broadcast radio is free to me, but not to the advertiser. The advertisers pay for me. That's a dramatic difference, and one, I think, that you're deliberately ignoring, because you go on to write: > The freedom of advertising IS the freedom of the press. Again, you couldn't be more wrong. Advertising has never, ever been a form of protected speech. Why do you think we have such things as truth in advertising laws? I doubt that anyone has proposed a rational argument for considering advertising as free speech. > Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising. Remember that spam is the tool of the small-time crook, the theif- he who doesn't want to pay his own way on the internet, but wants to do the most obtrusive form of advertising.
  • by Coward, Anonymous (55185) on Thursday January 04, 2001 @07:13PM (#529232)
    Advertisers brought us magazines, daily newspapers, radio theater

    That's because they were paid by advertisers. With spam, nobody is paid to carry the ad, thus nothing is funded by the advertiser. Magazine advertisers pay magazine publishers who give us magazines, television advertisers pay television companies who give us television, spammers pay nobody so we get nothing. Spam isn't going to bring us anything, because spammers don't pay anyone.
  • The only really good claim that they come back to in that article, and a valid one, is that spammers can now discern whether or not you opened the e-mail.

    This is even better than asking you to reply with a "remove," in order to get you on even more lists. This way, you can become a premium beneficiary of their spam enterprise without any direct involvement.

    Good job Congress. At least telemarketers can be stopped.
  • While I agree with many of the other posters concerning the age of "web bugs," not following spam URLs and the like, I can't help but hope that this sort of thing will add impetus to making spammers get what coming to them.

    Rather than saying, "Spam is like getting postage due mail that can't be refused," perhaps now we can point to some, hopefully many, instances od spam and say, "This spam is extremely likely to be a virus carrier that could wipe out millions of Windows maghines worldwide simply by being received." Maybe THAT could jumpstart some law-making and prosecution.

    Although, as we all know, in the US, while lawmaking is easy, actually following through on the part of the government is rare.

    --
  • What I don't understand is how a virus (say the "Love Bug") could propogate any better by using this method. It can't figure out your system configuration, or whether or not you're running Word.

    Here comes the sensational journalism with its "cyber crime" and "hacker wars." Oh boy.
  • A couple days ago I started filtering all HTML email straight to the trash. I did this for a few reasons. The main reason is that 90% of "real" email is non-html (I told friends that they'd go in the trash and I wouldn't even know they sent it if they didn't fix their settings if on HTML), and 95%+ of hard-to-recognise spam (email "newsletters" from companies you've never used, etc) is html. What goes with this is that HTML email can have "web bugs" and other tracking in them too... You could be tracked just by reading an email (looking around before doing this I found this rather common). This has been mentioned before on /. and also other places, but people seem to keep forgetting. The filter has been very effective (all unwanted email over the few days its been), and only one bad filter (from someone who didn't know about it).
  • tbo writes: Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer Yes, downloading URLs without user involvement is evil. Part of the problem are the email clients that default to rendering message bodies of the first unread message and not asking the user to confirm remote image downloads. (E.g., Netscape Messaenger and MS Outlook, but - I think - not AOL 6.0 and others reported by other slashdot posters.) Again this is a security vs convinence tradeoff.

    2) Automatically executing code from a remote, untrusted source is bad, kids. I haven't seen a web bug that actually executes remote code on the local client machine unless you consider JavaScript code to be unsafe. Sure JavaScript can be unsafe if your browser's intepreter has an implementation bug or you consider certain information like screen resolution, local timezone and other browser options to be private, but we are not talking virus risk here.

    The Web Bug FAQ [privacyfoundation.org] for more information. In particular note that it does list some non-evil uses for web bugs:

    Another use of Web bugs is to provide an independent accounting of how many people have visited a particular Web site.

    Web bugs are also used to gather statistics about Web browser usage at different places on the Internet.

    E.g., If you want your site to run at the fastest posible speed, you might host static HTML with a globaly traffic managed web caching or hosting company like Akamai [akamai.com] or Speedera [speedera.com] But you still would like to get logs directly for anaylzing traffic to your site and comparing with the web hosting company's bills. So you place a web bug on your pages directly back to your origin site (or third party like LiveStat [livestat.com]). The user experence is still fast if done right, because the slow logging to your server occurs after the page is rendered.

  • The Privacy Foundation [theprivacyfoundation.org] discovered this type of abusive capabilities in MS Word documents back in August of 2000. The potential uses for this exploit [privacyfoundation.org] ranged from tracking the distribution of sensitive documents to malicious things similar to the ones described in the WebBug article. The advisory also mentioned the ability to perform the same functions in Web pages, Excel spreadsheets and Powerpoint 2000 presentations.
  • What the article fails to mention is the fact that web bugs can actually be used for legitimate use (IMHO, always).

    Take for instance the company itraceyou.com [itraceyou.com]. This company provides a free service for users to be able to receive confirmation emails when their email has been opened. I think that would come in useful for anyone of us. Isn't that a ligitimate use for the web bug?

    What troubles me more is that they are attempting to patent this (what seems to me), kind of obvious method of receiving a notification when an email is opened.

    Visit the company info [itraceyou.com] page for information on the pending patent. Should this actually be granted?

  • A virus that used the Web bug technique could essentially conduct a poll of potential victims to determine whether or not they would be good targets.

    Woop-de-doo. It's not expensive to sneeze viruses all over the world, so why bother targeting? And the majority of the world - present company excluded - uses Win32 and IE - or IE-based AOL. You don't get a hell of a lot more useful info out of your basic HTTP headers than that.

    The profiling is disgusting. The increased threat of virus is negligible.

    If anything, the thing that opening the email does is advertise "I'm an idiot. Here's my IP address. Crack my system. (Hint: I'm the kind of person whose password is the same as my username)."
  • Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers.

    It's a case of stupidity compounded by stupidity. HTML was never a good idea for email in the first place. (i.e. any form of "enchanced" text for email should have been designed to be easily readable on something which didn't render it. The output of email programs which generate HTML appears to have been specifically designed to be cryptic to anything other than a web browesr.) This is compounded by simply feeding it to a web browser engine. Without at minimum removing external links and JAVA/JAVAscript/Active X/etc.
  • Hmm... embedded HTML/images security risks, endless Java security alerts, 1x1 invisible tracking GIFs, the recent Flash plug-in security alert, all the problems with javascript...
    God, I'm glad I use lynx and pine. It's a shame though, when a site is inaccessible for those without javascrapt... what ever happened to "Click Here to see a Text-Only Version of this Page" ?
  • Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

    I'm way too late, but the answer is simple: Set the log to record the User-Agent: header. Presto, a list of all users who read the e-mail, what e-mail client they used, and for most clients, the OS they are running.

    This information can be invaluable:
    grep IE /var/log/httpd/access_log

    Presto, a nice list of everyone who accessed using some version of IE (I don't know what Outlook sets the User-Agent to). If you set it up to have a query string with the e-mail address recorded (ie, http://www.example.com/bug.gif?user@example.net - generated through your spam-script) your log suddenly includes the e-mail address too. This is how much information you can record and why this can be a threat - especially coupled with the fact that the most insecure clients download the images without user-option.

  • Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

    My personal favorite is when I received spam from a company that was trying to sell me intrusion detection software.

    There's just something ironic about that.

  • If you want something that is free and filters webbugs, among other things, from your browser, check out webwasher [webwasher.com].

  • But is that in fact legitimate use at all? I don't always read what I get in the regular mail, yet there's no way for someone to tell, remotely, if I did read it. Why should there be in the email world?
  • No, the HTML has already been authored and you only have insignificant control. Only with XML do you have control of the display, and then you must have the author's schema in order to make sense of the data.

    What are you talking about? All the author has decided is the linearization of text with HTML. You can decide fully how it will be represented with CSS. And anyways, you're supposed to be writing XHTML, which is an XML application anyways, so your point is moot; I could use XSL to reorganize the linearization of data how I please

  • Actually recent versions of PINE(greater than > 4.2 maybe?) do render HTML. Of course it doesn't autoload images or anything, but HTML isn't really the problem. Its fuckwitted software that likes to automagically load everything up at once under the guise of "of course the user will want to load this image". And the truth is, your average lamebrain windows user, even if confronted by the option of turning off images from remote sites, they would say no because they don't know a better and would think it meant that they would no longer be able to receive emails with porno pics of the "woman" he has be having cybersex with in some java based chat room(never mind the fact that this "woman" is really a 500pound biker guy who has a thing for giving enemas to people).

  • The company I work for has a mailing list its customers can subscribe to. Guess who's the lucky guy who watches over it? Yup, you got it...

    Anyway, the marketeers like to be able to track ROI and whatnot. So a little bit back, we started sending multipart MIME messages, and including the company logo in the HTML version. Result: the ability to tell them "Okay, in the first 7 days after the mailing, N people opened the message with HTML-capable mailreaders while online." Obviously, the actual number of people reading it is greater, but these days, probably not by much.

    Around that same time, I modified the Perl stuff that sends the mailings to stick a query string on those images, i.e. "/hdr1.gif?7kdtP-SeV" or whatever, populating it with an encoded version of a string containing stuff like the date it was sent, the filename of the message that was sent, and the registered userid (on our site) the address corresponded to.

    On the back end, more Perl looks at various and sundry logs, and goes through the process of "Hey! CMDRTACO read the e-mail. Hmmm. CMDRTACO clicked through to the site from the e-mail. Hmmm. CMDRTACO logged into the site. Hey cool, CMDRTACO bought something, cha-ching!" and so on.

    I'm actually doing some finessing today to automate things a bit. Perl hacking, fun fun fun.
    --

  • I dunno if this will be any use to anyone, but here goes...

    Those web-bugs are so small that you can't easily right-click and block image from server. I started to put a page together a while ago where I take the webbug, as I find it, put it on a page where i've expanded height and width to 50x50, in order to be able to right-click and block em.

    I was thinking about writing a cgi that would allow people to enter an URL and offending page/company name and add to the page, but I've not had time to do it.

    If you want to see the page, click here [wiw.org]. If anyone wants to help throw together the cgi for such a page, or even gets one going, contact me.
  • by tbo (35008) on Thursday January 04, 2001 @06:52PM (#529251) Journal
    Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.

    Why Hemos went on a rant, I don't know. Yes, the article doesn't mention URLs in spam, but that's because they're less insidious than web bugs. Presumably, if you click a spam link, you get what you deserve.
  • by kettch (40676)
    Hemos is right, dont click spam links. You should also keep from giving out your real email address. These are all common sense things. there are alot of classes offered about how to use the internet, I think that spam avoidance should be part of them.
  • Load slashdot and check your source. Scroll down and look for this:

    <!--
    now = new Date();
    tail = now.getTime();
    document.write("<IMG SRC='http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,");
    document.write(tail);
    document.write("' WIDTH=1 HEIGHT=1 BORDER=0>");
    document.write("<IMG SRC='http://images.slashdot.org/pagecount.gif?/art icle.pl,");
    document.write(tail);
    document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
    //-->
    </SCRIPT>
    <NOSCRIPT>
    <IMG SRC="http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>
    <IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,978666575" WIDTH=1 HEIGHT=1 BORDER=0>

    The latter is clearly a page-counting mechanism (or so it appears), but wouldn't the non-hypocritical thing to do still be to remove one's own webbugs before posting yet another exposé on the dangers of others' webbugs? At least for appearances' sake?
  • Consider for a moment that, when perusing most media-- be it a magazine or your snail mail- you are accustomed to advertising in many forms. As a matter of fact, many new media are created for the very purpose of bringing ads to your eyes and ears.

    They created 3-d vision and smellovision in the movies because movie theaters, at that time, were major purveyors of advertising. Radio shows were sponsored by advertisers and all of their content was, in that sense, a form of spam.

    Why do we get angry when an ingenious marketer slips in an intrusive, but fundamentally harmless, web-bug? If the spam were a virus and crashed a system or deleted data, it would be counterproductive to the spammer's purpose, marketing.

    The freedom of advertising IS the freedom of the press. Advertisers brought us magazines, daily newspapers, radio theater, and many other aspects of our culture that have become highbrow, in some way BEYOND advertising. Give spammers respect- and a bit of freedom-- don't threaten them with punishing lawsuits and jail time! Otherwise, very few people without previously existing monolithic web presences will choose to do business on the Web. Remember, spam is the tool of the small business, the underdog- he who cannot afford the banner ads and other less obtrusive forms of advertising.
  • Hi. Isn't this a bit elitist? Just because someone doesn't have a good knowledge of computers is no reason to sneer at them at all! People who know nothing about computers use them every day, and that means that we need to make sure that these tricks just do not exist at all.

    It seems only fair to me ;)

  • The trick is that if somebody views the spam, as a convenience the browser loads the images specified in the tags, and most web bugs are 1x1 pixel images that the user doesn't notice, but still generate a get request, often with a cookie sent along with it. The average user is not oging to find browsing/etc... with "auto load images" turned off a tolerable functional browsing experience.
    my solution is not to run an HTML-aware mail program. I delete anything that is not text/plain unless i'm _very_ sure of the source...
  • by singularity (2031) <nowalmart&gmail,com> on Thursday January 04, 2001 @07:20PM (#529257) Homepage Journal
    You say that HTML-snabled mail clients automatically download the web bug in question.

    Eudora for the Mac (but not for PC) has an option to not download remote HTML graphics. All HTML will be displayed, and all images sent with the message are displayed, but no remote server is accessed.

    This is A Very Good Thing. (tm)

    There are other possibilities out there.
  • You're going to find that most people's problem with spam isn't the advertisement itself.. I would have no problem if a spam email actually LISTED the read address it came from, and a subject line that indicated it was an advertisement. Most spam used to be this way even a year or two ago. Now nearly every single piece of spam I get comes from a bogus email address, with a phony subject line trying to trick you into thinking it comes from someone you might know, and just reeks of being some kind of scam.

    It also annoys me when I have to delete 50-100 spam messages a week, and hope that I don't delete anything important along with it. In the "old days" of advertising, getting your product out required some sort of cost to the advertiser. Now any idiot with an AOL account, a spam program, and a large list of email addresses can spew out junk messages non-stop, with virtually no cost to themselves, and at a high cost of annoyance to the receivers.
  • by kaphka (50736) <1nv7b001@sneakemail.com> on Thursday January 04, 2001 @07:28PM (#529259)
    For example, the Love Bug was a widespread virus sent via e-mail. But it was dumb -- it had no way to tell if the machine it sent itself to would be a good target for infection. It just crossed its viral fingers and sent itself along. Some computers fell for it; others didn't. Whether a computer got infected or not depended on the configuration of that machine.

    A virus that used the Web bug technique could essentially conduct a poll of potential victims to determine whether or not they would be good targets.
    Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.

    (No matter how good your security is, you can't stop users from hurting themselves by running untrusted code. Scare tactics stories "virus threats" only make the problem worse.)
  • Though I can't fault Fox on facts, this article gets pretty sensational when it comes to the supposed "risk" of virus activity caused by spam HTML.

    This may allow a creator of one of these new breed script virii to better target mailboxes, but the weak link remains the same: the user who opens the attachment. In the past, virii relied on technical holes for their propagation; now it's simply the gullibility of a large number of users. Besides, the victims of these scripts are not targeted by the author except in the very beginning of an outbreak; rather, they (voluntarily or not) send the message along to each other. So the better-aimed shotgun that "web bugs" might create would really make little or no difference in the spread of a modern email worm.

    By the way, did anyone else notice Fox News is printing an expose on 'Web Bugs'? I suppose that's print in the "printf" sense, not the "ink-on-paper" sense ;)

  • by fv (95460) <fyodor@insecure.org> on Thursday January 04, 2001 @07:37PM (#529261) Homepage
    While Hemos says "just use the bottom line - don't click on spam URLs", he misses the point. The insidious nature of these emailed "web bugs" is that they DON'T requre any clicking. Spammers hide the information in the URL of an invisible image which is automatically loaded by (stupid) HTML-based mail readers. Every time you open the message, the sender is notified and generally logs the time, location (IP) and email address of the person reading the email. They also frequently set an HTTP cookie so they can cross reference future browsing activity with your email address (which they know because they sent you the spam).

    Making matters worse, these email bugs have moved beyond the domain of "get-rich quick" and porn spam. Even companies you might consider legitimate have been doing this. One would think financial institutions would be particularly concerned about privacy, but I have found email bugs lurking in mail from both E*Trade and American Express.

    While these bugs aren't very effective against those of us who use pine, mutt, etc., they set a dangerous precedent. If users tolerate applications retrieving untrusted data from the net without notification or permission, we could see even worse abuses like this in the future.

    Unfortunately pressuring application vendors to respect our privacy is not always fruitful. And with closed-souce applications, you often have no idea what they are up to. I was glad to see that some of the Windows "personal firewall" programs such as ZoneAlarm [zonelabs.com] offer features that alert users to unexpected outgoing connections made by applications. Users can define notification policies based on their own privacy concerns. I haven't run across similar software for Linux, although it wouldn't be hard to write. And it isn't quite as important on Linux since fewer users download/buy untrusted binary-only programs.

    Cheers,
    Fyodor

    Concerned about your network security? Try the Free Nmap Security Scanner [insecure.org].

  • by tbo (35008) on Thursday January 04, 2001 @07:41PM (#529262) Journal
    Normally, the "tag" (informative|offtopic|flamebait|etc) is set to whatever the last moderator modded the comment. However, Overrated and Underrated do not change the tag. What may have happened in this case is that Klerck posted his crap at 1, somebody gave it +1, Informative, then three different moderators gave it Overrated.

    Why overrated and not Flamebait, Troll, or Offtopic? Because the moderators are all cowards, and we don't want to lose karma in meta-moderation to some rogue meta-moderator. Moderation, meta-moderation, etc, only work if the majority of users are not trolls. Unfortunately, they are mostly trolls on Slashdot...
  • In addition to this, I'm pretty sure that in the email RFC, there's an option that you can include with emails for return-reciepts -- the only problem is that few if any clients appears to support such features (with numbers much lower on windows sides). Of course, I may be completely mistaken here.
  • Wow, which API call tells viruses if the user is an idiot? As far as I know, that was the Love Bug's only significant system requirement.


    Easy, you just check to see if they're running Windows. :-)

    (That was a requirement for the virus, so this isn't totally flamebait...)
  • Where can I learn how to see the Web bugs that I suspect are in the spam-like e-mail that I receive?

    Thanks,

    Tim

  • There are a lot more things you can include in a document from a remote location than just images, and maybe your email client doesn't have an option to turn them off...

    style sheets...
    javascript...
    java...
    so it's not so simple just to turn off images. luckily for me, eudora doesn't run any of these either, but some people who use other email clients may not be so lucky....

  • it's one thing to do this on your website, it's quite another to send it to people in their email!!! Count on, /.!!!
  • It can't determine the presence of Word. (At least I can't figure out how yet)

    However, remember that on Windows, the browser is used to get the image. That sends system configuration information in the http header.
  • I read an article on 'Web Bugs' before and it described them as being similar to the html code found right here on Slashdot. This is harmless as it is only counting page views...however...it could do a lot more if you wanted it too.
  • They should moderate you way, way up!
    The lame brained windows users who are warned and still allow everything to autoload, condemn themselves. However, I like the idea of being able to protect myself. I don't care what the spammers do with the sheep. There'll always be sheep.
    ========================
    63,000 bugs in the code, 63,000 bugs,
    ya get 1 whacked with a service pack,
  • "IMG SRC='http://images.slashdot.org/pagecount.gif?/ind ex.pl,978708130220' WIDTH=1 HEIGHT=1 BORDER=0"

    Damn- I should've previewed my last post.
  • Becase tv commercials don't start by saying "Check out barly minor 's website where you can see her losing her virginity to 5 black studs while her parents watch! Just point your remote to channel ...."
  • Won.Net IMG SRC="http://adforce.imgis.com/?adserv|39|163366|1| 149|ADFORCE" name="NL-NGA.June6" BORDER=0 HEIGHT=2 WIDTH=2 NATURALSIZEFLAG=0 ALIGN=BOTTOM ALT="Click Here"

    Among many other embedded images at system generated URLs (but all have a similar ID string
    [http://tako.sierra.com/wrclick?v&CoreNewsletter He ader&ID=fPb8itB1P3Hupellk.vjI])

    HomeGain.com img src="http://click.homegain.com/kc1231313040.1001.0 .-3.http%3A%2F%2Fus.yimg.com%2Fi%2Fmy%2Ftop7.gif" WIDTH="1" HEIGHT="1"

    Barnes & Noble img src="http://www.ensuredmail.com/mbna/ctr.asp?e=YEU H"

    Buy.Com IMG SRC="http://enews.buy.com/cgi-bin5/flosensing?y=Cu r0SYfw07xC"

    WestWood Studios img width="1" height="1" src="http://www.m0.net/m/logopen02.asp?vid=676&cat id=2055603275&ecid=0" alt=" "

    PriceLine.Com img width="1" height="1" src="http://www.m0.net/m/logopen02.asp?vid=644&cat id=2104304093&ecid=1297" alt=" "

    Network Solutions (even had my email address embedded in the image URL)
    img src="http://graphics.e-dialog.com/graphics/myemail @address.com|||977185002&&&gtld_1_001208_networkso lutions_DETECT"

    They seem to embed them between the closing BODY tag and the closing HTML tag in most cases.

    Kind of scary. I think I'm going to stop using Outlook... *shiver*

    (not to say *all* of these are web bugs, but they were suspicious)
  • Yes, but the spammers get a distinct advantage from the unique url, if you click it and or load an invisible image they can track it to your actual email address. If it is not unique, they may be able to get ip address, os, browser info, etc. but can't link it to your email address as there are thousands of people hitting that non-unique url. With a unique url tied in their databases to your email, they know for sure if you viewed the email and can also link the other info gathered (ip, browser, os) to you email address. Kinda scary.
  • heh, checked one with from one of our 'partners' (WebMethods, Inc.) img src="http://207.252.6.138/servlet/com.marketsoft.j sp.servlets.CustomerOfferViewed?watermark=1%3A-1%3 A-1%3A-1%3A-1%3A7785%3A-1%3A-1%3A680%3A-1" Bastards.
  • Slashdot has an ad on the top of each page. I choose to come to this site even though there is an ad. I understand that it is required to fund the site. This is my choice.

    I check my e-mail. I expect to be sent something that I requested. Be it by somebody asking my e-mail address or filling out a form, knowing that I would be contacted for a specific reason that I knowingly requested.

    Spam is typically not requested by individuals. Well, unless they are a masochist. I always have the option to see the Slashdot ad. I can simply avoid it by not visiting the site. I *requested* to see the site, and thus the add. When one gets spam when checking their e-mail, they did not request that advertisement. Personally, I see it as intrusion onto my privacy, and do not appreciate it one bit, and I wish it were illegal.

  • that these webbug things are nothing compared to what is coming.

    Spammers will pay big money to backbone providers and then they will be given the right to spam as they please. Of course blasting the backbone provider would be like pounding on your spinal cord out of spite.

    I also predict there will be an explosion of free ISPs. If the figures concerning profits from data profiling aren't as exaggerated as I think they are, the free ISPs will make good money from feeding customers to these spammers. They may very well push a few normal dialups out. Mix in a TOS which says you WILL not circumvent data profiling activity in the free ISP connect software, add a dash of DMCA, and you are no longer watching your monitor, it is watching you.

    The more likely scenario is the big fish ISPs will mutate into a gruesome hybrid of highly reduced priced unlimited service plans, with the TOS requiring you submit unconditionally to the data profiling behavior in their software.

    Need I suggest what horrors await if the free DSL thing takes off? Simply put the data profiling will be even faster and more efficient and more transparent.

    Like I said, the web bug thing is nothing. They can do far worse to you with a lower priced service with a diabolical TOS and proprietary DMCA-protected ISP connect protocol software (pppoe-freeDSL-8.0.dll, anyone?).

    Only the small time spammers will be still using web bugs after that.
    ========================
    63,000 bugs in the code, 63,000 bugs,
    ya get 1 whacked with a service pack,
  • I'm halfway with you on this. I don't think spam, in general, is as evil as some make it out. But in this case, there is a genuine privacy and (maybe) security risk.

    Advertising to the masses, through TV commercials or mass e-mails, is one thing. Retrieving personal info (think: Doubleclick web bugs) is another, even if their goal is just to send you "targeted" advertising.

    Do you really want Joe Spammer to be in a position to know that you are currently online, with IP xxx.xxx.xxx.xxx, just received an e-mail advertising "hot teen lesbian action", and clicked on the link within after only twenty seconds? That's easy for them to do. With a little more work, they could associate your e-mail address / cookies with your physical address and other personal info.

    There is a fine line between advertising and spying. Its been crossed before, and web bugs will be used to cross it again.


    My mom is not a Karma whore!

  • by Le Pillsbury Du Bois (267730) on Thursday January 04, 2001 @07:03PM (#529279)
    Web bugs are real and easily spread for some purposes. I received a chain email that had a funny story about winter. I am forced to use MS outlook, and even in the preview window, the email appeared with all it's cute anitmated gifs. All the gifs were off a remote server. So whoever runs that server has a hit log of everyone this chain letter went to.

    Talk about power. Instead of a virus, it's a way to find out the architecture of people's networks. Sure, lots will be blocked by firewalls, but lots won't. There's also the potential to load large images (500k) off a taget website. If the email spreads fast enough, it will be a distributed DOS.
  • I can't even begin to describe how much the [this] story irritates me - yes, there's truth to it. But it's more then [than] just simple Hemos bugs - it's any sort of spelling or grammatical error. Take out the scare portion of the article, and just use the bottom line -- a broken metaphor is worth two in the bushes. Now where *is* that darned bottom line, anyway?
  • The difference between spam and TV commercials/banner ads/radio commercials is the fact that spammers are pushing their ads on you without your consent. Spam wastes your time and system resources (I assume you have an e-mail account size limit), and you cannot keep people from spamming you. I can always change the cannel on the TV.

    Now it seems that spammers can even find out where you are (via your IP address and those nifty HTML-reading e-mail clients). I thought the virus link was kind of far-fetched.

    I don't see a solution to spam anywhere on the horizon, but this is a bad development.
  • ...you could create a unique URL for each spam.

    well you could, but that would defeat the main benefit spammers utilise, which is the ability to send a single body with multiple (ie. hundreds if not millions) of RCPT TO addresses.

    the current methodology makes the relay do all the work by making it contact all the smtp hosts of the people being spammed. by adding a unique web bug (and hence a unique body) for each receiver you would create an immense amount of load on the spammer's own system and network connection.

    just my 2 cents
    marty
  • I read the author's name as "Jeff Hantavirus." I almost passed over the story, when the name startled me and I had to go back and read more carefully.

    I'm sure this amuses only me. Oh, well.

    --
  • Strangely enough I find that I get no spam on my netzero account. Of course that might be because the spammers figure people using netzero are already broke..
  • (the KDE browser) is that it often shows web bugs (like the one at the top of every slashdot page ...)
  • the worst ones are the pages that have a bit of html in them like this:
    <img src="http://we.spam.you/php-script/fean-reads-his- email.jpg">

    so all they have is a PHP script sitting there, recording who reads the emails.... its impossible to stop on web based email systems....

  • MS Entourage (née Outlook Express) on the Mac also has the option to disallow network access for HTML mail. It's a great idea. In the worst case, you get an email with some broken images. It's not like I want people sending me web pages... if they want me to see their web page, they can send me a link. But it still allows the text markup. Win-win.
    Eudora for the Mac (but not for PC) has an option to not download remote HTML graphics. All HTML will be displayed, and all images sent with the message are displayed, but no remote server is accessed.

    --

  • Frankly, the smantic + markup concept gets a lot of lip service from all corners of the world, but in practice I have yet to see a system that is both "correct" and actually used in the correct way.

    HTML was designed from day 1 just as you described, and what do we see? People spending days and days writing convoluted code to get the formatting "just right."[1] This is especially true when you are presenting something with no content[2]. Too many people are control freaks as well, there is no way they are ever going to let someone else see the presentation when they could have just any font, point size, or color selected (just to name a few). These people shutter at the idea of a webbrowser without the FONT tag, or those people who click "override document fonts". There is no way they are going to let their formatting be dictated by the reader!

    Maybe it's a good thing to make these people let go of their control issues, but in reality anything that tries is either not going to catch on, or is going to be mutilated into something else (HTML).

    [1] At least on Windows with IE
    [2] 75% of all web pages, and 100% of all flash presentations
  • So by the same token, people should be allowed to drive automobiles even if they don't know how to drive them? Or they should be allowed to use the telephone if they don't know basic telephone safety(Like don't give your address etc etc out to
    strangers and all the other things you learned as a kid).

    My point is that computers attached to the internet are not just "toys" but they are serious pieces of electronic equipment. Equipment that most people trust their finanical records and other aspects of their personal life to. At least software should go with conservative defaults for the uneducated. The people who do know what they are doing know how to change the defaults.

    It would be fairly trival to have a bug of worm that gets into a system via a bug in outlook(or more often than not an education problem, like files named pr0n.jpg.exe etc..) and then phones home with all of the goodies to some random webserver in siberia. Oh and it installed a nice backdoor or something.

    People just need to be educated about the risks, like with the box tossing up a message about loading remote images saying that "Loading images from remote servers that are received via email can be considered a privacy threat, if you know that you will not have this problem, click ok, otherwise the safe choice is no".

    I'm sick of people trying to candy coat things and saying that its completely safe to have your computer on the internet, because we all damn well know its is a risk.

  • because fox is shutting down some of its web sites... fuckedcompany.com reported fox.com and foxsports.com are going down...
    --
    Peace,
    Lord Omlette
    ICQ# 77863057
  • The critical flaw with your argument is the line,

    "Advertisers brought us magazines, daily newspapers, radio theater, and many other aspects of our culture that have become highbrow, in some way BEYOND advertising."

    An advertiser pays the newspaper, radio or TV station or magazine for advertising space, and then the newspaper, radio or TV station or magazine uses the money to provide content. The *CYCLE* is completed when the audience of the content buys the product from the advertiser. If you partake of the content, you get the ad; if you don't partake of the content, your chances of seeing or hearing the ad are much lower.

    Now, the BIG question; What have Internet spammers brought the Internet community? The spam in my mailbox has little or nothing to do with any of the content I utilize. The content I utilize is not funded by spammers.

    True, my mailbox at home gets junk mail sent to it, regardless of my lifestyle. In that case, the junk mailers pay the post office that delivers my mail; in fact, a large percentage of mail is paid (to the post office, among others) advertisement. In contrast, a spammer pays for his Internet connection (sometimes), and a pirated list of names. It's *my* ISP that has to take *my* money to install bigger facilities to handle all the junk mail that doesn't necessarily bring in a dime to *my* ISP.

    I resent your sugar-coating the issue as much as I resent spam. The people who are sending me spam are not bringing me content, nor are they patrons of a better society. They are, instead, free-loading, greedy, opportunistic scumbags who will do anything to make a quick buck without having to work or pay for it. They are making *me* have to pay for *their* advertising, even if our only connection to each other is the fact they have *my* e-mail address (which they most likely gathered without my consent).

    For the most part, I'm content simply to ignore the "Lose weight fast" and "Get out of debt now" spam sent my way. The ads that anger me are those for porn sites. I am a Christian, and I resent having my moral values attacked by some cheap sleazebag. I did nothing to merit the attention those spammer have given me. I resent their efforts, and all the more as children use the Net. In legitimate advertising, I can complain to the proprietor, or even take him to court. Slimebags are too ashamed to accept responsibility for their actions; they only want money. Like the roaches they are, they hide where they think I can't find them.

  • Easy way to take care of that if you use a
    console mail reader like I do (mutt, elm etc.)
    put lynx in your mailcap file to handle html mail
    this doesn't do java, javascript, or images so
    no problem ;)
  • Web bugs are more evil than your average URL link because you have to click on the link, whereas a web bug (and the potential attached evil code) gets loaded automatically if you have an HTML-enabled mail viewer. Stuff like this is why I have intentionally avoided HTML-enabled mail clients. Automatically executing code from a remote, untrusted source is bad, kids.

    HTML email gets a bad wrap. The thing people forget about HTML is that it is, at its core, a semantic markup language. HTML provides meaning to otherwise flat text. Flat text forces the author of an email to use how an email will look to get across meaning. On the other hand, HTML clients, done properly, allow the reader to decide how something will look.

    My dream is to have an HTML-aware client that accepts everything that is in the XHTML-Basic specification [w3.org]. XHTML-Basic allows basic semantic markup, disallowing presentational elements such as <font>, and uses CSS [w3.org] to provide presentation. However, the client can choose to ignore the CSS, if the user wants, leaving all presentational items up to the reader.

    In summary, plain, flat text for mail is one of the worst things we are plagued with. It mixes meaning with presentation. The author is forced to decide presentation, which is one of the biggest evils of communication. Presentation should be decided on the reader's end, with the message only containing semantic meaning; HTML allows this.

  • unix based email software (XFmail, Pine, Balsa), none of which yet render HTML or activeX & java/script.

    This'll work for now.
    ========================
    63,000 bugs in the code, 63,000 bugs,
    ya get 1 whacked with a service pack,
  • So next time mike28345@msn.com sends me an email about 'hot wet sex' i cant click on the link??? but i trusted mike28345 so much before this.
  • For someone who holds spam in such high opinion why try to block it from you own inbox "journaSPAMlist.com".

    Who's to say that "an ingenious marketer" is going to stop at just knowning your IP. Why not load a keystroke monitor or some other spyware? Then they could skip that annoying "attract the customer" and start charging your credit card directly (no fair patenting my idea either).

    Marketing is an offensive weapon used against the consumer. If companies provided a good product at a fair price, the would inspire more brand loyalty than millons of marketing dollars. To often companies use marketing to foist unneeded and unwanted products on consumers (to say nothing of 'get rich quick' and other scams).

Each honest calling, each walk of life, has its own elite, its own aristocracy based on excellence of performance. -- James Bryant Conant

Working...