Stopping "PattyMail" Email Bugs

An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"

Mutt !

[mpapet]

Mutt!

Re:Yes.

[Anonymous Coward]

Um, how about not reading email in HTML?

If you're using Thunderbird [mozilla.com], by default it won't display images in e-mails. Is says 'to protect your privacy, these images have not been shown', and offers a button to click to show the images.

I can think of three ways...

[DoctorPepper]

Elm, Mutt, Pine. Need I say more?

Re:Get rid of pics in emails

[DaveCar]

The issue discussed in TFA does not involve image bugs but iframe bugs.

Now, I don't know, but they would potentially still be triggered if you were using a "convert to plain text" filter???

Re:Yes.

[John.P.Jones]

In this case it isn't HTML that is the problem it is the automated referencing of external data (images) via HTML, my mail program kindly asks before downloading these images, a really nice sender would attach the images so I know they aren't tracking me.

Re:Nothing new here...

[DaveCar]

Bah. RTFA. It's not about image bugs.

It is NOT about images

[DaveCar]

IFRAMEs _not_ images!

http://www.freedom-to-tinker.com/?p=610 [freedom-to-tinker.com]

Problem NOT Solved

[DaveCar]

This is NOT about image bugs, it is about IFRAME bugs.

http://www.freedom-to-tinker.com/?p=610 [freedom-to-tinker.com]

Two Solutions

[ewhac]

Solution #1:

• Delete Outlook.
• Install Thunderbird [mozilla.com].
• Open the Preferences panel.
• Click on the Privacy tab.
• Select the option, "Block loading of external images."
• Select the option, "Block JavaScript."
• Click OK.
• You're done.

Solution #2:

• Delete Outlook.
• Install mutt [mutt.org].
• You're done.

Schwab

Re:Plain Text Only

[kristoe]

If you read the sourced article, disabling HTML email would not be sufficient. The tracking market is actually embedded in an attached document. Once embedded it turns invisible, so there may be some macro associated as well. It seems that a cascade of nefarious and default behavior of a suite of MSFT products allows unsophisticated users to be duped. Suggested steps to mitigate, if not entirely eliminate, the risk of PattyMail

1) Assiduously avoid MSFT products where possible.
2) If you can avoid all, avoid MSFT Word, the probably culprit in this case. Use OpenOffice instead.
3) If you can't do that, disable automatic macro execution in MSFT Word.
4) Do not use HTML email. HTML makes things PRETTIER, not more useful. Anyone in favor of HTML mail is either a spammer or cares more for form than function. HTML mail is a useless abomination. But I digress.
5) Install something like ZoneAlarm on your individual workstation and explicitly ban all MSFT Office products from accessing the Internet, without at least popping up a dialog box. This way, if there is a "phone home" mechanism hidden in a document, you'll know when it tries and you can intercede.
6) Set your email program to alert you and request permission before sending read receipts. Never auto-send them, and do not auto-reject them either. It's useful to know who's trying to check up on you. Then, once you know someone's trying to check up on you, refuse to send the read receipt.
7) If you must follow a questionable URL of dubious provenance, consider actually using an OLDER browser version. For example, Netscape v4.7 or older. It won't render many pretty things correctly, but who cares. More importantly, it also will simply ignore a lot of the more recent tags and syntax as being noise.

Sendmail/MailScanner/Pmail

[Medievalist]

www.sendmail.org
www.mailscanner.info
www.pmail.com

Problem solved, oh, maybe five years ago. It amazes me that anyone just figured this was a problem NOW.

I've received hundreds, if not thousands, of emails with a {disarmed} header modification inserted by MailScanner... it's quite interesting to learn who is routinely inserting tracking bugs in their mailings.

I suppose you could also use transparent caching a'la squid to bumfuzzle some of the trackers and speed up browsing for your end users at the same time. But it seems like nowadays the bugs usually contain individualized tracking codes that would make it through the cache anyway.

You just have to strip out external references and tell the end users "that guy who sent you this is using a broken mailer". That's the strategy the HTML addicts used to create this problem, after all - they told the clueless that HTML was normal and that anybody who couldn't read it was using broken or obsolete software. I use the same line (which happens to be true) if somebody complains that they can't read company XYZ's mailings because the image links have been stripped out; "oh, company XYZ is using a broken obsolete mailer that puts external links into the text; until they learn to use the Internet you'd better find a new company to deal with or stick to phone calls".

Re:"Can anything be done to stop Web bugs?"

[jackbird]

Someday, perhaps someone will write a mail client that disallows loading of remote images in emails unless specifically allowed. Perhaps they could call it "Thunderbird."

Use something simple

[bb5ch39t]

I use Pine on Linux. Simple, easy for me to use, and it doesn't do a thing unless I tell it to. People who let their computers run their lives get what they deserve.