[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] leaking
- To: "Full-Disclosure" <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] leaking
- From: "Alerta Redsegura" <alerta@xxxxxxxxxxxxx>
- Date: Wed, 12 May 2004 12:46:52 -0500
In the specific case we are talking about here:
1. Somebody sends a message to the list from a web-based e-mail service.
2. All messages sent from this web-based e-mail service have a banner.
3. The banner is an "img" tag with an "a href" to click on it.
4. The banner is not shown via "script" tags.
5. Neither the sender nor the web-based e-mail service have the list e-mail
addresses: the message is sent to the list address!
Now, I repeat the question:
How can the web-based email service in this particular case, gather email
addresses from the members of this list via this banner?
------
Aaron Peterson wrote:
>You don't _collect_ email addresses (they obviously already have it if they
>are sending you email with it, ;) But you can verify email addresses with
>it.
>
>The easiest would be to put a hash or some other identifier of the users
>email address in the url for the image, then have mod_rewrite rewrite the
>url (or not, who cares... you just wanted to verify the email address was
>good) to an actual image on your system, and log the embeded info and
>compare to your known addresses.
------
Jimmy Kuijpers wrote:
>The beatch is probably collecting our addresses for spam.
------
Iñigo Koch
Red Segura
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html