USS Clueless - New Worm
     
     
 

Stardate 20020426.0601

(Captain's log): Well, there's definitely a doozie of a new worm running around the web. This one is clearly derivative of one that was around last year, and it's doing the trick of picking a file at random to send along with a copy of itself. Presumably it's yet another in a long series of programs which tries to take advantage of security holes in Outlook.

I've received at least six letters so far consisting of a random file from the source system, plus an 85K program attachment. I was very confused by the first one and took a look at the file. (Doing so didn't run the program because I'm not using an HTML-enabled mail program.) It turns out it was a spreadsheet which seemed to contain part of someone's cell-phone billing record. Since then I've been deleting them unopened.

At least one of these tried to pretend that it was a Microsoft patch file, ironically to close a security hole.

Have I mentioned lately that HTML-encoded mail is evil? There are an awesome number of nasty things that can be done to you with it.

One of the coolest is to use a web bug. It works like this: the HTML-encoded mail is generated independently for each person it's sent to, and within it will be a place where some graphic file is loaded. Sometimes it's a null-image, sometimes not. But the HTML-request for that file will include a "?" parameter with some sort of access key attached, which is unique for you specifically. When that request comes in to their server, they track that number back to their database where that access key specifies what email address it was sent to.

And voila! Now they know the IP that is associated with your email address, and from now on they can track your browsing habits, and target you with spam according to the kind of web sites you visit. (And they can set a cookie, too, but even without that they can track you just by your IP.)

Outlook (and Outlook express) permit you to decide whether you want to transmit HTML-encoded mail, but I believe that you have no choice about receiving it: if it's HTML-encoded, it will be displayed that way. Which means there's nothing you can do to defend yourself against this kind of web bug; by the time you realize it's happened, you've already been caught.

Which is why I will never use either of them for email. I have always used mail programs which are not HTML-enabled. What I just described is only one of many ways that people can abuse HTML-encoded mail.


include   +force_include   -force_exclude

 
 
 

Main:
normal
long
no graphics

Contact
Log archives
Best log entries
Other articles

Site Search

The Essential Library
Manifesto
Frequent Questions
Font: PC   Mac
Steven Den Beste's Biography
CDMA FAQ
Wishlist

My custom Proxomitron settings
as of 20040318