Strange email messages

Charles Steinkuehler charles at steinkuehler.net
Mon Jun 9 20:49:45 CDT 2003 

David Holland wrote:
> Hello all.  This isn’t a linux related question but I’ll ask it anyway. 
> 
> The company I work for has been getting some strange email messages and 
> we think its from an ex-employee but have no way to prove it.  From what 
> I understand of HTML you can embed a link in a message that will grab 
> pictures or text from a web page and make it appear as part of the email 
> message.   If this is true, then I could embed a link to a hidden 
> location on my web page and log any attempts to access it.  This would 
> tell me, at the very least, the recipients IP address and maybe 
> geographic location.   
> 
> Has anyone tried this before?  Does anyone know where I might find more 
> info on how to create such an HTML tag?  Any advice is welcome.

These are standard spaming techniques.  Start reading about combatting 
spam and you'll get a wealth of information about various techniques for 
this sort of thing.

Typically, the HTML image tag is actually a URL for a cgi program. 
Embedded in the URL is a unique to each message or recipient number that 
lets the CGI program log which target e-mail addresses actually opened 
the e-mail, along with exactly when.  Some sample image tags pulled from 
some recent spam are below, and provide good reasons to *NEVER* open 
external links from *ANY* email!

You can script this sort of thing pretty easily, but if you want an "out 
of the box" solution, you can probably find some "bulk e-mail managment 
software" pretty readily if you google for it.

-- 
Charles Steinkuehler
charles at steinkuehler.net

Sample image tag tracking (URLs are long and will wrap):

- This example uses a variable passed to a CGI script...on the 
web-server /link/banner would be a CGI program that logged the lid 
(LuserID? :) and returned an image:

<img 
src=3D"http://clickserve.cc-dt.com/link/banner?lid=3D41000000000995334" 
border=3D0 alt=3D""></a>

- This example appears to use an alternate technique of embedding 
information in the username field (between the "http://" and the "@" of 
the URL), which might make extracting the info from the log files 
easier, depending on how you setup your webserver:

<img src=3D"http://r rbrxn  c a  vne a rxpzumoqa sgfce 
edemcf at 202.54.193.100/un1.gif" border=3D"0" width=3D"98" 
height=3D"19"></a></p>

More information about the Kclug mailing list