Stopping "PattyMail" Email Bugs

An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"

Get rid of pics in emails

Ship all email programs by default configured to not show images in the mail. That would be a start. I've seen some web clients already that automatically filter out tiny "bug" sized graphics.

Re:

"I've seen some web clients already that automatically filter out tiny "bug" sized graphics."

So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for intern

Re:

So why not just use a bigger graphic? Actually Outlook seems to block all graphics by default....so I don't see the problem. Though maybe it doesn't for internal mail.

Or, if they are like any large business (or university, as is my case), it may be pre-con

use Pine

easy way to eliminate all sorts of crap in emails.

Re:Get rid of pics in emails

The issue discussed in TFA does not involve image bugs but iframe bugs.

Now, I don't know, but they would potentially still be triggered if you were using a "convert to plain text" filter???

Re:Get rid of pics in emails

This is a perfect opportunity for the often decried personal firewalls: Add a rule to allow the mail client to connect to the mailserver on the POP3 and SMTP ports (or IMAP port) and deny all other connections. Even if you use a client which can't be configured not to load external files, the firewall will stop the webbugs.

Re:

It doesn't have to be just graphics.

When readnotify was mentioned during the hearings, I signed on for a trial account. In the signup page, when it asked where I heard about them, I answered that I heard about them in the Congressional Hearings on Pretext

Huh?

A good fix would be to have your email client fetch all external files via a caching proxy server.

I don't think so. Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier:

<img src="http://example.com/cgi-bin/genImage/lk3894343 ">

Re:

Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier

It depends what the bug-sender is trying to do. If he wants to see that a

Re:

In HP's case, I believe they would be more interested in who leaked the email rather than who receives it, therefore each authorized recipient would get their own trackable bug.

Even one hit from a cache with an IP address not belonging to HP would indicat

Re:

If all ISPs or at least a great majority scan all emails for images and download _all_ the images, then the fact that an image is downloaded doesn't give the sender any information anymore.

Not quite true. If your ISP and Bob's ISP and Alice's ISP are all

Re:

But according to a book I read, Alice and Bob are using quantum encryption. Besides, I though the only person they had to worry about was Eve.

Re:

3) If you can't do that, disable automatic macro execution in MSFT Word.

Does word still allow automatic macro execution? That's absolutely crazy. Have people forgotten about the nasty virus-via-word-macro years?

4) Do not use HTML email. HTML makes thin

Yes.

Can anything be done to stop Web bugs?"

Um, how about not reading email in HTML? Even LookOut!, er, Outlook you can set to convert mail to plain text.

Re:

I have my home e-mail server configured to reject all HTML messages. You'd be surprised how much spam that cuts out... Any n00bs who send me HTML mail get a bounce saying "Please don't use pictures or colored fonts in your messages to me. And get a REAL

Re:

A real email client.... Thunderbird.... surely you meant Mutt ;-)

Pfft, you kids and your bloatware.

A real email client ... surely you mean UNIX mail?

That ought to be good enough for anybody.

Re:Pfft, you kids and your bloatware.

I telnet into smtp and pop3 servers to send and read mail...

Re:

Many email clients offer the chance to view only the plaintext representation, but if you forward the email to other parties, the html block continues to propagate. That means web bugs will still track most of the journey, as long as a number of people d

Re:

In this case it isn't HTML that is the problem it is the automated referencing of external data (images) via HTML, my mail program kindly asks before downloading these images, a really nice sender would attach the images so I know they aren't tracking me.

Usual FUD

Outlook is doing exactly what it needs to do, blocking download of images [zdnet.com]. If it lacks the specialization of countering these "bugs" that's too bad for corporate sleuths and leakers, but it does not expose the user to anything, this is not a vulnerability and the "patch" mentioned will simply give you an additional option regarding image handling. I wouldn't think the "let me forward this mail with the secret tracking device turned off" functionality was high on Microsoft's feature list when they released OLK2003.

Re:Usual FUD

The only thing I don't like about Outlook's handling of this is that there isn't a way to download specific image files in the message. It's all or none.

"Can anything be done to stop Web bugs?"

Sadly, no. Since HTML is a vital component of email, this sort of vulerability is inherent in the 'email' system, much like compromised cookies and overridden passwords. Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream.

Moving forward.

"Some time in the future, we may have an email system that is simply composed of raw text which would be invulnerable to such exploits, but for now we can only dream."

I've even heard that someone is working on a revolutionary OS that runs entirely in text mode, and uses command-line control, and is completely impervious to web bugs, Windows trojans, and other such infestations.

Re:Moving forward.

Ah yes, Amish OS 1.0.

Alternatively you can unplug the three pronged virus enabler device that runs from every computer to the electrical socket.

Re:

Someday, perhaps someone will write a mail client that disallows loading of remote images in emails unless specifically allowed. Perhaps they could call it "Thunderbird."

Re:

Sir, your sarcasm detector appears to be malfunctioning.

Re:

Darn it. I just had it replaced too.

That's a Lot of Fallout

In other news, Webster's Dictionary has replaced the word 'Machiavellian' with the word 'Dunnish' although the meaning will remain "Suggestive of or characterized by expediency, deceit, and cunning."

You know you've done something wrong when your name

Lesson for leakers

Do not use a computer traceable to you, to pass sensitive information on to where you think it needs to go.

Print the email, and store it in a safe place.
Transcribe the information to another paper media, and pass that along as anonymously as possible - the

So, is it spyware?

Wikipedia explains web bugs. http://en.wikipedia.org/wiki/Web_bugs [wikipedia.org]

So, is this spyware, or not? I would say yes. The website is spyware, as it is tracking where it's user comes from....but then isn't all of the internet spyware?

The ZDnet article asks it best......"Phoning home? Deception? It must be spyware. Right? At least if you're a politician that's not well steeped in technology, it must be. Or is that the case? Maybe it is spyware after all. And maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is. Does PattyMail qualify as spyware and should the senders of HTML-based e-mail disclose their use of trackable graphical elements in the e-mail itself? Feel free to answer below."

Why would the sender have to do a thing?

"maybe all HTML-based e-mail should visibly disclose that the page contains "tracking" elements with links back to more information on what those elements do and what the privacy policy of the sender is."

Why would the sender have to identify email as su

Solution is NOT regulation.

This sounds like an invitation for some dumbass law "requiring" people to disclose when an email has tracking elements ... except that it would be impossible to enforce, and the spammers/malware-writers would just ignore it anyway.

The solution here isn't regulation. It's just for people to decide whether a feature (in this case, HTML mail) is really worth the risk.

Alterately, we could 'neuter' HTML mail so that only the most basic formatting commands worked; use it purely as a style markup language, with no iframes, images, or externally linked text. That seems like it would solve the problem while preserving the reason 90% of idiot users want HTML: so they can use bold/italic/flashing-red-text or whatever.

Plain Text Only

Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.

Re:Plain Text Only

Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.

Yeah, but wouldn't that be much more emphatic if it was written like this:

Don't read your email in HTML format. Problem solved.

• There is nothing to be said in email that can't be said in plaintext and

• I really could care less to see your smiley face sig and pretty flower background.

Paul Tomblin said it best.

> There may not be an easy way to disable it in today's email software, short of turning off HTML email entirely.

"The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism."

- Paul Tomblin was talking about USENET when he said this, but he was right.

Re:

How much do hitmen charge for dog fucking?

I can name the solution in four words

United States Postal Service

How about an anonymizer for mail-induced browsing?

Mail programs now need the option to retrieve images through an anonymizer.

Mutt !

Mutt!

Finally!

A word gayer than "blog." Thank you, Pattymail!

Block in the firewall?

How about blocking the offending IP ranges at the firewall level? Anyone know what IPs to block?

I can think of three ways...

Elm, Mutt, Pine. Need I say more?

HTML mail doesn't need network access

Mail user agents should be allowed network access only for the protocols that are actually useful (POP, IMAP, MAPI, LDAP, depending on your needs, and the application's design).

Allowing the content of an e-mail message to establish arbitrary network connec

With Outlook, just use a software firewall

Using a crappy old version of Zonealarm here, but any decent software firewall would do the same.

Zonealalarm's pretty basic - it* only has concepts of "local" and "Internet" zones; simply ensure that the Exchange server that it wants to connect to is in the "local" zone and that Outlook can't access the "Internet" zone.

*the version I'm using, anyway.

Can anything be done to stop Web bugs?

Can anything be done to stop Web bugs?

Funny you should ascii...

Re:

ascii stupid question, get a silly ansi...

Sendmail/MailScanner/Pmail

www.sendmail.org
www.mailscanner.info
www.pmail.com

Problem solved, oh, maybe five years ago. It amazes me that anyone just figured this was a problem NOW.

I've received hundreds, if not thousands, of emails with a {disarmed} header modification inserted by MailScanner... it's quite interesting to learn who is routinely inserting tracking bugs in their mailings.

I suppose you could also use transparent caching a'la squid to bumfuzzle some of the trackers and speed up browsing for your end users at the same time. But it seems like nowadays the bugs usually contain individualized tracking codes that would make it through the cache anyway.

You just have to strip out external references and tell the end users "that guy who sent you this is using a broken mailer". That's the strategy the HTML addicts used to create this problem, after all - they told the clueless that HTML was normal and that anybody who couldn't read it was using broken or obsolete software. I use the same line (which happens to be true) if somebody complains that they can't read company XYZ's mailings because the image links have been stripped out; "oh, company XYZ is using a broken obsolete mailer that puts external links into the text; until they learn to use the Internet you'd better find a new company to deal with or stick to phone calls".

Re:

These are still used (albeit less frequently due to blocking) for email advertisements. In marketing-speak, they are known as "tracking pixels". They are commonly used to determine the number of "impressions" made in a CPM (Cost per mille (thousand)) cam

Re:

Bah. RTFA. It's not about image bugs.