Forgot your password?
typodupeerror

Stopping "PattyMail" Email Bugs 248

Posted by kdawson
from the quit-bugging-me dept.
An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"
This discussion has been archived. No new comments can be posted.

Stopping "PattyMail" Email Bugs

Comments Filter:
  • by krell (896769) on Friday October 13, 2006 @12:39PM (#16425095) Journal
    Ship all email programs by default configured to not show images in the mail. That would be a start. I've seen some web clients already that automatically filter out tiny "bug" sized graphics.
    • by BigDogCH (760290)
      "I've seen some web clients already that automatically filter out tiny "bug" sized graphics."

      So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for internal mail.
      • by michrech (468134)
        So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for internal mail.

        Or, if they are like any large business (or university, as is my case), it may be pre-configured in their system image to display graphics by default (at least on internal mail).
      • use Pine (Score:3, Funny)

        by baomike (143457)
        easy way to eliminate all sorts of crap in emails.
    • by DaveCar (189300) on Friday October 13, 2006 @12:57PM (#16425497)

      The issue discussed in TFA does not involve image bugs but iframe bugs.

      Now, I don't know, but they would potentially still be triggered if you were using a "convert to plain text" filter???
    • I've seen some web clients already that automatically filter out tiny "bug" sized graphics.

      A good fix would be to have your email client fetch all external files via a caching proxy server.
      • Huh? (Score:5, Insightful)

        by mccrew (62494) on Friday October 13, 2006 @01:26PM (#16425971)
        A good fix would be to have your email client fetch all external files via a caching proxy server.

        I don't think so. Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier:

        <img src="http://example.com/cgi-bin/genImage/lk3894343 ">
        • Re: (Score:3, Interesting)

          by thrillseeker (518224)
          Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier

          It depends what the bug-sender is trying to do. If he wants to see that a particular person has opened a particular email, and he controls what identifier gets sent to that person, then by tracking when the identifier is loaded he may know that the email has been read. If an ISP fetches and caches the urls of all emails sent t
          • I'm not so sure that this is a trivial matter. One of the great advantages of Gmail is that I can access it from anywhere (anywhere I can get net access with a browser, anyway). Your assumption that a suitably-clued Thunderbird or other MUA is available isn't valid. And in this day and age of people e-mailing video clips and multi-megabyte PDFs about, the storage implications would be considerable, even given Google's capacity.

            I think a better solution would be for each URL in every message to be rewritt
          • Re: (Score:3, Insightful)

            by TommydCat (791543)
            In HP's case, I believe they would be more interested in who leaked the email rather than who receives it, therefore each authorized recipient would get their own trackable bug.

            Even one hit from a cache with an IP address not belonging to HP would indicate a potential breach of confidence and finger who forwarded the mail or exposed it to an insecure network.
      • by micheas (231635)
        Well your solution gets around part of the issue.

        A proxy does not get around the fact that you are downloading <img src=http://www.foo.com/email7tothrillseaker.gif >

        But it does reduce the ability to track down where that email was forwarded to. Of course if a client side script gives the image a more informative name such as 10.0.0.34.sf.cnet.windowsxp.outlook11.johnsmith.em ail7tothrillseaker.gif and your email client fetches an image like that, it doesn't matter if you use a proxy or not to fetch it
        • '' A proxy does not get around the fact that you are downloading ''

          What would work: If all ISPs or at least a great majority scan all emails for images and download _all_ the images, then the fact that an image is downloaded doesn't give the sender any information anymore. The next step would be an html feature to have images directly in the html; many legitimate uses of images do actually involve tiny images and including them directly in a webpage or email would probably be more efficient anyway; the ISP
          • Re: (Score:3, Interesting)

            by B'Trey (111263)
            If all ISPs or at least a great majority scan all emails for images and download _all_ the images, then the fact that an image is downloaded doesn't give the sender any information anymore.

            Not quite true. If your ISP and Bob's ISP and Alice's ISP are all different and they all download the image, then I know that the email which I sent to you has been forwarded to two different mailboxes. I may not know for sure who those mailboxes belong too - you could have forwarded it to your own home account. But I
            • Re: (Score:3, Funny)

              by ConceptJunkie (24823) *
              But according to a book I read, Alice and Bob are using quantum encryption. Besides, I though the only person they had to worry about was Eve.

          • The next step would be an html feature to have images directly in the html

            Actually, the next step would be to move to a proper document format, like PDF. People don't really care how their messages are encoded, all they want is to be able to put salutations in 48-pt Monotype Corsiva in putrid pink on a bright green background. It's just a shame you can't embed a looping audio track of a small child farting and laughing, which I fear will hinder the mass acceptance of PDF as a "family-friendly" mail format

          • by micheas (231635)

            The next step would be an html feature to have images directly in the html; many legitimate uses of images do actually involve tiny images and including them directly in a webpage or email would probably be more efficient anyway;

            Images can already be imbedded in emails, and anyone that wants their html emails to have the images show up relibably already does this. It is horribly inefficient however, as mimencoding an image increases the size by a factor of about four IIRC.

            High end email blasts embed all th

    • by Anonymous Coward on Friday October 13, 2006 @01:13PM (#16425797)
      This is a perfect opportunity for the often decried personal firewalls: Add a rule to allow the mail client to connect to the mailserver on the POP3 and SMTP ports (or IMAP port) and deny all other connections. Even if you use a client which can't be configured not to load external files, the firewall will stop the webbugs.
      • Mod parent up! I've been doing this for years as it's the only way to ensure your email isn't being tracked.

        An email client only has any business talking to your ISP's email server on POP3 and SMTP and nothing else.
    • Re: (Score:3, Interesting)

      by eric76 (679787)
      It doesn't have to be just graphics.

      When readnotify was mentioned during the hearings, I signed on for a trial account. In the signup page, when it asked where I heard about them, I answered that I heard about them in the Congressional Hearings on Pretexting. One web bug they used in the test messages I tried was a wav file set to play at zero volume. I didn't look at the wav file itself, so I couldn't tell if there was anything malicious in the wav file.

      I did the testing from an OpenBSD machine using Sy
    • I have SpamVault set to automatically break web-based images in emails. Attached images show up fine; images pulled from external sites are broken.

      The only times this has ever mattered to me (i.e. I needed to see the pictures), the email has a link at the top that says "Can't read this email? Click here!". This opens a web page with the information in the email visible. (This was, as I recall, for WoW newsletters.)

      In all other cases, I'm better without the graphics, and web bugs won't work. It makes me
  • Yes. (Score:5, Insightful)

    by AJWM (19027) on Friday October 13, 2006 @12:39PM (#16425097) Homepage
    Can anything be done to stop Web bugs?"

    Um, how about not reading email in HTML? Even LookOut!, er, Outlook you can set to convert mail to plain text.
    • by eno2001 (527078)
      I have my home e-mail server configured to reject all HTML messages. You'd be surprised how much spam that cuts out... Any n00bs who send me HTML mail get a bounce saying "Please don't use pictures or colored fonts in your messages to me. And get a REAL mail client like Thunderbird and configure it for text-only". And I don't care if they can't reach me. If you don't know how to configure your mail client for text-only, you shouldn't be using a computer as you are a hazard to the internets.
      • by mordors9 (665662)
        A real email client.... Thunderbird.... surely you meant Mutt ;-)
      • by Dare nMc (468959)

        > configure it for text-only


        didn't work, since I easily tracked this text only email back to zdnet. [zdnet.com]


        :^)

      • by tylernt (581794)
        While rejecting HTML email is rather extreme and not really viable for a business, I think a better solution would be to text-ify the HTML at the mail server, such as with the PHP striptags() function. Another option would be to drop HTML type MIME attachments, as most (but not all) senders also include a plaintext version of the email that you could still read.

        That way you can still see the content, yet not annoy the sender. Should be pretty easy with Sendmail and a Procmail rule. It would break PGP S/MIME
      • by Homology (639438)
        > have my home e-mail server configured to reject all HTML messages. You'd be surprised how much spam that cuts out...

        If you use spamd [openbsd.org] in greylisting mode, you will be even more surprised :-)
    • by Speare (84249)

      Many email clients offer the chance to view only the plaintext representation, but if you forward the email to other parties, the html block continues to propagate. That means web bugs will still track most of the journey, as long as a number of people don't disable html or remote-image-fetching features.

      How many people (besides c|net reporters today) are paranoid enough to view-as-text, cut and paste only the text, and then forward a sanitized version of the message? At this point, it's easier to just

      • At this point, it's easier to just draft a new message and paraphrase, "Bob, did you see an email from Alice commenting about the Widget lately?"

        A new message leaves the reference too vague for most Bid'ness Bob's to understand the question. You'd have to include the message or eight pages of text to get them into context on the discussion. That kind of defeats "it's easier" part of your suggestion.
    • Re: (Score:3, Informative)

      by John.P.Jones (601028)
      In this case it isn't HTML that is the problem it is the automated referencing of external data (images) via HTML, my mail program kindly asks before downloading these images, a really nice sender would attach the images so I know they aren't tracking me.
    • by fermion (181285) *
      And for all you anti-mac people, make sure that everyone knows that mail.app has no such default ability, proving that Windows is the ultimate OS and mac is the POS. The best you can do is not display remote images, which will solve the web bug problem, but not the phishing problem. Also, since the images are shown as question marks, instead of unredered HTML gibberish, the user is more likely to click the icon. Attribute this to the vast apple marketing machine, and one clear instance of general disrega
      • by hondo77 (324058)

        I'll feed the troll. Fire up mail.app. Go to Preferences->Viewing. Un-check "Display remote images in HTML messages". When an HTML message comes in and you want to see the message but not those question marks, press Command-Option-P. Now you have a plain-text view. Want to go back to HTML? Command-].

        Enjoy.

  • Usual FUD (Score:5, Insightful)

    by The Bungi (221687) <thebungi@gmail.com> on Friday October 13, 2006 @12:40PM (#16425111) Homepage
    Outlook is doing exactly what it needs to do, blocking download of images [zdnet.com]. If it lacks the specialization of countering these "bugs" that's too bad for corporate sleuths and leakers, but it does not expose the user to anything, this is not a vulnerability and the "patch" mentioned will simply give you an additional option regarding image handling. I wouldn't think the "let me forward this mail with the secret tracking device turned off" functionality was high on Microsoft's feature list when they released OLK2003.
  • by bunions (970377) on Friday October 13, 2006 @12:40PM (#16425119)
    Sadly, no. Since HTML is a vital component of email, this sort of vulerability is inherent in the 'email' system, much like compromised cookies and overridden passwords. Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream.
    • by krell (896769) on Friday October 13, 2006 @12:43PM (#16425187) Journal
      "Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream."

      I've even heard that someone is working on a revolutionary OS that runs entirely in text mode, and uses command-line control, and is completely impervious to web bugs, Windows trojans, and other such infestations.
      • by Pinky (738) on Friday October 13, 2006 @12:55PM (#16425463) Homepage
        Ah yes, Amish OS 1.0.

        Alternatively you can unplug the three pronged virus enabler device that runs from every computer to the electrical socket.
        • "Ah yes, Amish OS 1.0."

          Ah. You might have also heard of the secret Apple Ultra-Cube project. An amazing revolutionary project that was revolutionary because not only did not come without a floppy drive, it came without USB and CD/DVD as well (in order for Apple to force us to leave behind clumsy legacy storage). Driver problems were a thing of the past: it interfaced equally well with ANY peripheral hardware available. The amazingly simple interface design completely got rid of cable-clutter. It was hard
    • Re: (Score:3, Informative)

      by jackbird (721605)
      Someday, perhaps someone will write a mail client that disallows loading of remote images in emails unless specifically allowed. Perhaps they could call it "Thunderbird."
    • Thought you might like to know...

      Apparently , a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality.

      What makes this virus so terrifying is the fact that no program needs to be exchanged for a new computer to be infected. It can be spread through the existing e-mail sy

  • In other news, Webster's Dictionary has replaced the word 'Machiavellian' with the word 'Dunnish' although the meaning will remain "Suggestive of or characterized by expediency, deceit, and cunning."

    You know you've done something wrong when your name becomes a common term for something evil like PattyMail. I certainly hope she's still not blowing this off like she didn't do anything wrong. Then again, if everyone in corporate America does this, I hope that comes to light also.
  • Do not use a computer traceable to you, to pass sensitive information on to where you think it needs to go.

    Print the email, and store it in a safe place.
    Transcribe the information to another paper media, and pass that along as anonymously as possible - the mail with non-lick stamps and evelopes possibly.
  • So, is it spyware? (Score:5, Interesting)

    by BigDogCH (760290) on Friday October 13, 2006 @12:42PM (#16425165) Journal
    Wikipedia explains web bugs. http://en.wikipedia.org/wiki/Web_bugs [wikipedia.org]

    So, is this spyware, or not? I would say yes. The website is spyware, as it is tracking where it's user comes from....but then isn't all of the internet spyware?

    The ZDnet article asks it best......"Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below."
    • "maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is."

      Why would the sender have to identify email as such? The "bad" senders would ignore such requirements anyway. Realize instead that any email client can easily recognize such emails by looking at the links inside the body of the mail. This would be extremely reliable and foolproof (i.e. anything that uses
    • by Kadin2048 (468275) <slashdot DOT kadin AT xoxy DOT net> on Friday October 13, 2006 @01:18PM (#16425855) Homepage Journal
      This sounds like an invitation for some dumbass law "requiring" people to disclose when an email has tracking elements ... except that it would be impossible to enforce, and the spammers/malware-writers would just ignore it anyway.

      The solution here isn't regulation. It's just for people to decide whether a feature (in this case, HTML mail) is really worth the risk.

      Alterately, we could 'neuter' HTML mail so that only the most basic formatting commands worked; use it purely as a style markup language, with no iframes, images, or externally linked text. That seems like it would solve the problem while preserving the reason 90% of idiot users want HTML: so they can use bold/italic/flashing-red-text or whatever.
    • by Skreems (598317)
      As several others have said, this boils down to user ignorance. Yes, email may contain html markup. Yes, if you download images linked by that markup, the server that houses those images will know you read the email. This is why GMail, Outlook, etc all default to NOT downloading linked images unless you explicitly tell them to.

      Legislating against this is ridiculous. The definition of "tracking elements" is prohibitively vague. It works just as well whether you put a 1x1 invisible gif at the bottom, or a 3
    • by Sloppy (14984)
      So, is this spyware, or not? I would say yes. The website is spyware, as it is tracking where it's user comes from....but then isn't all of the internet spyware?
      No, the mail reader is spyware. It is absurd for mail readers to act like web browsers.
  • Plain Text Only (Score:3, Insightful)

    by rhavenn (97211) on Friday October 13, 2006 @12:43PM (#16425191)
    Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.
    • by Red Flayer (890720) on Friday October 13, 2006 @01:31PM (#16426047) Journal
      Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.
      Yeah, but wouldn't that be much more emphatic if it was written like this:

      Don't read your email in HTML format. Problem solved.
      • There is nothing to be said in email that can't be said in plaintext and
      • I really could care less to see your smiley face sig and pretty flower background.
  • by Tackhead (54550) on Friday October 13, 2006 @12:45PM (#16425213)
    > There may not be an easy way to disable it in today's email software, short of turning off HTML email entirely.

    "The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism."

    - Paul Tomblin was talking about USENET when he said this, but he was right.

  • United States Postal Service

  • Mail programs now need the option to retrieve images through an anonymizer.
    • Mail programs now need the option to retrieve images through an anonymizer.

      The problem is that the image name will allow the user to be traced, so requesting it anonymously still indicates who inititially got the email. The image name can be generated uniqe to each email sent.
      • by Animats (122034)

        The sender knows who initially got the e-mail; that's the addressee. The main article was about tracking to whom the mail was forwarded. Forwarded copies will have the same image links as the original. So if the original recipient and the recipient of a forwarded copy both have anonymous image browsing, the original sender will know only that the message is being read again, but won't know from where.

    • by Sloppy (14984)
      Why should a mail program need any way to "retrieve" an image at all? Either the image is attached, or it isn't needed.
  • Mutt ! (Score:2, Informative)

    by mpapet (761907)
    Mutt!
  • Finally! (Score:2, Funny)

    by Anonymous Coward
    A word gayer than "blog." Thank you, Pattymail!
  • by DamienMcKenna (181101) <damien@@@mc-kenna...com> on Friday October 13, 2006 @12:54PM (#16425435)
    How about blocking the offending IP ranges at the firewall level? Anyone know what IPs to block?
    • The problem is that it's not just a certain range of people who are doing this.

      Tons of companies, including shady ones (spammers, phishers, Microsoft), use email tracking "bugs" to determine whether an email has been read, if an address is 'live,' or determine a user's IP address or location.

      Blocking their IPs would be as nontrivial a process as blocking all spam-producing IPs. And we know that's not exactly easy (how's that going, SpamHaus?).

      The "solution" in my mind, is just to block all the HTML elements
  • Elm, Mutt, Pine. Need I say more?
  • Mail user agents should be allowed network access only for the protocols that are actually useful (POP, IMAP, MAPI, LDAP, depending on your needs, and the application's design).

    Allowing the content of an e-mail message to establish arbitrary network connections at all (or at the very least, without daully authorized consent from the user) is an immediate and obvious security risk. I understand that it is easiest to simply embed a full-fledged web browser component in the mail client, but it does not need ne
  • Can anything be done to stop Web bugs?

    $body =~ s///g; # get rid of IMG tags
    $body =~ s/url\(.*\)//g; # get rid of CSS links too

    Problem solved.

    Nathan

  • The more I think about this the more I can appreciate the general simplistic truth of it.

    As the demographic of Slashdot is generally technically inclined, we see workarounds as obvious "no brainers." We offer up solutions such as "use text-only! [idiot!]" Other things like keeping up with patches and the like are also pretty similar in nature.

    The fact is, the general public is non-technical and wouldn't know where to begin to look for "web bugs" or any other such vulnerability.

    And as for HP claiming they
  • Now, if we can get Spamhaus (or someone similar) to put HP and readnotify on its block lists...
  • by Curmudgeonlyoldbloke (850482) on Friday October 13, 2006 @01:14PM (#16425815)
    Using a crappy old version of Zonealarm here, but any decent software firewall would do the same.

    Zonealalarm's pretty basic - it* only has concepts of "local" and "Internet" zones; simply ensure that the Exchange server that it wants to connect to is in the "local" zone and that Outlook can't access the "Internet" zone.

    *the version I'm using, anyway.
  • Can anything be done to stop Web bugs?

    Funny you should ascii...

  • Two Solutions (Score:2, Informative)

    by ewhac (5844)
    Solution #1:
    • Delete Outlook.
    • Install Thunderbird [mozilla.com].
    • Open the Preferences panel.
    • Click on the Privacy tab.
    • Select the option, "Block loading of external images."
    • Select the option, "Block JavaScript."
    • Click OK.
    • You're done.

    Solution #2:

    • Delete Outlook.
    • Install mutt [mutt.org].
    • You're done.

    Schwab

  • Mailscanner [mailscanner.tv] is an excellent spam/virus/web bug scanning tool. It can be set to disarm iframe tags, block phishing emails and many other cool things.
  • by Medievalist (16032) on Friday October 13, 2006 @01:43PM (#16426287)
    www.sendmail.org
    www.mailscanner.info
    www.pmail.com

    Problem solved, oh, maybe five years ago. It amazes me that anyone just figured this was a problem NOW.

    I've received hundreds, if not thousands, of emails with a {disarmed} header modification inserted by MailScanner... it's quite interesting to learn who is routinely inserting tracking bugs in their mailings.

    I suppose you could also use transparent caching a'la squid to bumfuzzle some of the trackers and speed up browsing for your end users at the same time. But it seems like nowadays the bugs usually contain individualized tracking codes that would make it through the cache anyway.

    You just have to strip out external references and tell the end users "that guy who sent you this is using a broken mailer". That's the strategy the HTML addicts used to create this problem, after all - they told the clueless that HTML was normal and that anybody who couldn't read it was using broken or obsolete software. I use the same line (which happens to be true) if somebody complains that they can't read company XYZ's mailings because the image links have been stripped out; "oh, company XYZ is using a broken obsolete mailer that puts external links into the text; until they learn to use the Internet you'd better find a new company to deal with or stick to phone calls".

  • How about we quit sending each other email in HTML? Then we don't have to worry about all this crap.
  • I know it's true Slashdot tradition to not read the article, but the bugging HP did has nothing whatsoever to do with embedded images and HTML e-mail.

    What it does have to do with is bugged attachments. Yeah, just like those old worms that portrayed executables as image files or what not. Turn off HTML all you want, but if you want to see what's in the file that is supposed to be extremely important, even vital, you still have to open the file. Thunderbird, and even Mutt won't help you with this.

    I read so
  • Use something simple (Score:2, Informative)

    by bb5ch39t (786551)
    I use Pine on Linux. Simple, easy for me to use, and it doesn't do a thing unless I tell it to. People who let their computers run their lives get what they deserve.
  • As recently as 2002, Microsoft Outlook could be tricked into running Javascript from HTML email. Running Javascript allows the Karl Voth Reaper exploit [internetnews.com] to run, which goes beyond tracking forwarding to phone home with all the comments added to the message as it gets passed around.
  • SO... does this mean Bill Gates really can track my email habits and send me $243.00 for everyone I forward email to, while simultaneously preventing my account from being deleted?
  • Online email providers like Gmail and Yahoo are in a good position to protect their customers against this.

    Imagine if you will, that Gmail's mail servers would instantly, upon receiving an HTML message, retrieve all cacheable resources linked by the message and save copies of those resources on Gmail's servers. The sender gets little to no useful information out of it (all they know for certain is that Gmail's servers received the message shortly after it was sent). Gmail's servers would replace URLs embedd

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...