digg

Facebook Connect Join Digg About

How Spammers Circumvent 'Image Off' Features in Web Mail

sharewonders.com Got images turned off for emails by default to protect yourself from spam? If you’re using webmail, that might not be enough.

Who dugg this? Made popular Mar 27, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

53 Comments

show profanity settings
expand all
  • jknight, on 10/12/2007, -0/+26Um...... you are a moron. I work for an ISP and get callers like you all the time. I'm sorry, but it isn't that simple. ISP's do their best. We partner with a company called Postini. I have also heard good things about Mxlogic too.

    In regard to POP3 being a problem, this is an issue with SMTP not POP3. SMTP is how servers talk to each other. There is no authentication there (yet, Yeah, I know there are proposals) and other problems exist.
  • quasipalm, on 10/12/2007, -0/+19"They should monitor their traffic for this garbage and ultimately be held responsible."

    Great idea... We should also make ISPs accountable to the RIAA and MPAA for illegal downloads. That way they'd be forced to monitor all traffic and restrict network neutrality.

    Anyone who willingly demands their network traffic to be monitored / filtered / controlled is a fool.
  • jinexile, on 10/12/2007, -1/+10I'm sorry but your logic and knowledge of how networks work is seriously impaired. ISPs practice what is known as "Network Neutrality" they don't (or are not suppose to) police what is being transfered by anyone, they are just there to _Provide_ a _Service_, which is a connection to the _Internet_ and hence they are called Internet Service Providers, not The Internet Police.
  • madjo, on 10/12/2007, -0/+7In Europe your wish is granted... European ISPs, according to an idiotic European law, need to track the traffic and store it for about 10 years.
    It pays to invest in storage companies right now...

    No, this is NOT a good idea... you yourself are accountable for the mails you send, and if people would finally stop actually buying off of spam-messages, it might eventually decline! Yeah, there are idiots that do that.
  • boohiss, on 10/12/2007, -0/+6And the ISP should have to determine what's garbage and what's not? Even a really good Bayesian filter will have a false positive--should they be held responsible for those too?
  • ThatsUnpossible, on 10/12/2007, -0/+6This is wrong, there is no privacy issue here.

    The image in question was included with the message this guy received. That is why the image URL is pointing to a local file on the webmail server (in this case, /mail/?viewu003datt&dispu003demb&attidu003d0.1&thu003d10a31a3e38ec6da1). That means the image will load from the webmail provider, and not reveal anything to the spammer.

    Now, it may be possible that the webmail providers do also have an issue with not catching img tags that use these unicode characters, but my guess is the webmail providers simply scan for tags and eradicate them if they are not referencing files included with the email.
  • rhoyle, on 10/12/2007, -2/+6The QWERTY keyboard was designed to slow down typists. This was in the era of the typewriter, and those who were proficient with other formats were jamming machines frequently. So they designed a keyboard that would effectively slow down the typists and keep the typewriters from jamming.

    Regardless, I don't see the link between POP3 and QWERTY keyboards, the analogy just isn't valid - especially in this context.

    The article refers to using WEBMAIL, not POP3, and anyway, there's nothing wrong with POP3 in the first place. You'll notice the 3 in the name POP3, that's because it's the third implementation of the Post Office Protocol. It was specified in an RFC dated 1996. I think by then they had an idea of how widely used the Internet, and e-mail would be.
  • rhoyle, on 10/12/2007, -0/+4So when, say, Amazon.com sends out it's weeky e-mail to people who've asked for it, is that not a legitimate company sending millions of e-mails in a few minutes? You can't filter simply based on volume.
  • btipling, on 10/12/2007, -0/+4I use webmail because I don't want to lose my emails when my harddrive dies suddenly. Backed up and impoted emails *never* have all the information is associated with the regular emails (in my experience) such as date send, and more.
  • dclowd9901, on 10/12/2007, -0/+3What'd you expect? Unenforceable laws are about as silly as a duck in ice skates. Spam laws, as well as the brunt of internet laws are completely unenforceable. I think the Internet and its constituents will be regarded in the future as one of the biggest catalysts in social, economic and politcal change.
  • kc7gr, on 10/12/2007, -0/+3From TFA...

    "...As of this moment, I know of no way to prevent this from happening, other than ‘don’t open emails from people you don’t know...’

    Good advice, but I've got some other ideas as well.

    (1) Get rid of HTML in E-mail. It never belonged there to begin with. If you can't write well enough to get your message across in plain ASCII text, then no amount of flashing fonts, fancy colors, or (not so) pretty pictures will help.

    (2) Along the same lines as #1: Use a mail client like Courier (it replaced Calypso), that allows you to turn off HTML decoding completely. Granted, it may not work with webmail accounts (just POP3 and IMAP, as far as I know).

    (3) Don't use web-based E-mail. I know that's going to sound like heresy to many, but no one I've spoken to has ever been able to give me what I thought was a sufficiently-compelling reason why webmail is even necessary.

    (4) Convince ISPs worldwide to BLOCK direct outbound connections from client systems on port 25, and force all user E-mail traffic through the ISP's own mail gateways. Make exceptions to this ONLY for those who can clearly demonstrate to the ISP involved that they're competent to administer a secure mail system of their own, and to keep it secure.

    ISP's like Comcast (better known to some as Comcrap or Crapcast) have, IMO, been far too lenient with irresponsible users who, through carelessness or sheer incompetence, allow their computer to be corrupted into a spammer abuse toy. If they would, just once, adopt a policy of promptly shutting down ANYone who gets virus-infested enough to be part of a 'bot-net, until the owner of said system cleans it up and KEEPS IT CLEAN, the problem of 'bot-nets (and their associated spammer pipelines) would vanish within a month.

    I know why they don't do it. They're too afraid of pissing off their subscribers, despite the problems that those very subscribers cause for Comcast, and other ISPs and 'net-connected hosts worldwide.

    Personally, I think it's time and past to piss off some subscribers. Maybe then they'll "get it" that THEY are responsible for harm their computer might cause, and act accordingly.

  • jbestrom, on 10/12/2007, -2/+4Not a flame or anything like that just interested in your thoughts. What do you think is wrong with the QWERTY keyboard layout?
  • Khlept0, on 10/12/2007, -1/+3I wouldn't put all the heat on the ISP, but they should be more proactive regarding spammers.
  • btipling, on 10/12/2007, -0/+2That sounds like a security issue too then. I'm relieved about th e privacy issue though.
  • sedition, on 10/12/2007, -0/+2That would be unless you're paying the ISP to let you send spam in the first place. These guys have big bandwidth bills and that's good news to ISP that charge for bandwidth.
  • m85476585, on 10/12/2007, -0/+2They are probably trying to leave the alt text.
  • szym, on 10/12/2007, -1/+3phatsharpie:
    >> "The QWERTY keyboard was designed to slow down typists..."
    >> Most likely not true - http://www.utdallas.edu/~liebowit/knowledge_goods/gomesqwerty.htm

    The article you refer to does not contest the claim above. It only contests Dvorak's claim about superiority of his design over QWERTY.
  • m85476585, on 10/12/2007, -0/+2I got the same email and the image appeared in Thunderbird too. Now I look at any spam from view message source.
  • kandresen, on 10/12/2007, -1/+3An ISP cannot be responsible for Spam, and cannot do general filtering such as Bayesian for all their users. A doctor have needs for mails containing drugs others would consider spam, same with marketers, or system administrators, for not mentioning people who use more than one language... Mention one phrase that Bayesian can consider spam for everyone... You won't find it... What they can avoid is mail forgery through SPF records and so on, but doing permanent filtering for me I would not allow... That said, automatic filtering where I have access to everything filtered is great! I am still responsible for everything, and I can modify my own rules on ISP level! That way you can select to add anti-drug, anti-marketing, anti-incorrect-language rules etc without loosing the information that you needed with your special needs.
  • ThatsUnpossible, on 10/12/2007, -3/+5ISPs could stop most spam and viruses if they all blocked their regular (non-business) customers from sending mail on outbound port 25.
  • Angostura, on 10/12/2007, -0/+2Exactly, the whole item is simply wrong. These are local images he is seeing, not remote ones. Reported as lame.
  • nixdoctor, on 10/12/2007, -0/+1I agree... Gmail toasts spam like no one else. In fact, there was a story being dugg last month where the best way to avoid spam was being told like this: "Create a gmail account, forward all your incoming mail from all your other email accounts to Gmail, and then use Gmail as your primary mail". Just search for it on digg, and you'll know what I'm saying.
  • jgladu, on 10/12/2007, -1/+2POP3 has nothing to do with mail delivery btw - purely email retrieval. SMTP is the protocol where security an issue.
  • jgladu, on 10/12/2007, -0/+1For the record Postini and MXlogic are weak players in the anti-spam market. Fighting anti-spam is best done with a product like BorderWare's MXtreme. We use it in house and have found tremendous success. Few false positives and a reduction of over 85% in the crap that we used to see.
  • senfo, on 10/12/2007, -1/+2How does POP3 have anything to do with this? If you're using the webmail client, chances are, you're not even using POP3, period. A lot of people argue (with good reason) that the current design of SMTP is to blame for most spam. But in the case of this story, even it is totally unrelated.

    Could you please explain how POP3 has anything to do with this story?
  • jbreaux, on 10/12/2007, -1/+2When I get spam I can easily tell. They should know by the shear volume of traffic coming out of port 25. Then investigate. No legitimate company sends out mass e-mails millions an hour.
  • DanElHombre, on 10/12/2007, -0/+1image on and off only works for remote images.

    embedded images, as you're pointing out, do not reside on the spammers website and do not "report" back a working email address.

  • locutis, on 10/12/2007, -2/+3POP delivers the content unaltered. The problem exists in the reader.
  • jinexile, on 10/12/2007, -2/+3Just because you can tell it doesn't mean computers can. There is a lot of Fuzzy logic involved in deciphering what is spam and what isn't. It's a lot harder than you think it is.
  • m85476585, on 10/12/2007, -0/+1Depending on the company you can enable images by clicking a button, or allow them for collected addresses, or for non-spam messages
  • gator99, on 10/12/2007, -0/+1The present day email system is antiquated, spam won't stop until it's fixed. Greed is stronger than filters.
  • siouxmoux, on 10/12/2007, -1/+2Google better been beefing up their spam filter technology, I live on Gmail and I am already notice increase of spam getting through to main inbox.
  • miaow, on 10/12/2007, -0/+1webmail seems to be trying to deal with spam, but there is a lot of room for improvement.

    until recently, yahoo opened the images in my webmail spam. I also seem to have no way of investigating webmail other than opening it.

    yahoo seem to be giving users a 2nd address now, which will be useful as a proxy email address. Its once a spammer has officially got your addy that the problems begin. either from a forum or from a website owner or from an email grabber on an unsecure sign-in page imho.

    One crazy thing about yahoo imho is that you give out your email address by default on their forums, which seems extremely dumb to me. Presumably this is part of their reasoning for a 2nd address.

    I am also miffed as to why webmail isn't all behind secure servers ? It would be the first thing I would do as a manager.
  • jdwyckoff, on 10/12/2007, -0/+1I also use gmail and connect to it through outlook and I notice my first spam messages getting through this weekend. Completely caught me off guard and I almost opened it. If they block html images then when companies like itunes or Yourdailycomic send stuff you won't be able to see it will you? that would suck for me cause I love Get Fuzzy and the newspaper where I live doesn't carry it.
  • GrahamStw, on 10/12/2007, -0/+1LOL! Yeah jczer68, Google programmers are such noobs. If only they had your l33t skillz... :p
  • nixdoctor, on 10/12/2007, -0/+1BTW site is down now... replaced by a parked page from godaddy.
  • Izzie, on 10/12/2007, -0/+1maybe this one can help:
    http://www.straightdope.com/classics/a1_248.html
  • NiLeS, on 10/12/2007, -0/+1I don't buy it. Can't the webmail server just erase all IMG tags, regardless of what the SRC value is???
  • jgladu, on 10/12/2007, -1/+1Hey Chompy - there was actually a guy in Atlanta that got 9 years last year. Check out CNN.com for the archives story. The guy was pulling in $750K /month - tell me spam doesn't pay!
    As long there is money to be made, there will be spam. In the meantime, enjoy your free Viagra, Cialis, Rollex watches and mail order asian women.
  • inactive, on 10/12/2007, -1/+1Um, what ***** part of don't show images do these webmail providers not understand? If they used regexp to remove img tags it should remove images just fine. What? Are they trying to do something cute like parse the img tags and erase the url in the src attribute or something? n0000bs.
  • phatsharpie, on 10/12/2007, -1/+1"The QWERTY keyboard was designed to slow down typists..."

    Most likely not true - http://www.utdallas.edu/~liebowit/knowledge_goods/gomesqwerty.htm
  • NetJoe, on 10/12/2007, -1/+1you can try using a browser that allows you to reststrict images to the site your visting. Firefox can do that "load imagies for the originating web site only", I would expect I.E.7, and many of the other current generation browsers to offer the same. Inconvienient to turn it on and off, but most sites work fine with the restriction in place.
  • jbreaux, on 10/12/2007, -1/+1Right the computer can alert a human and then a human investigates and if warranted takes action against their client. Obviously something unlawful is occurring and if the ISP fails to do something then they are held accountable.
  • SuperJdynamite, on 10/12/2007, -0/+0"(3) Don't use web-based E-mail. I know that's going to sound like heresy to many, but no one I've spoken to has ever been able to give me what I thought was a sufficiently-compelling reason why webmail is even necessary."

    Does everything have to justify its existence to you, or is it limited to webmail?

    "(4) Convince ISPs worldwide to BLOCK direct outbound connections from client systems on port 25, and force all user E-mail traffic through the ISP's own mail gateways."

    That assumes your mail is provided by your service provider. I use Comcast cable for internet. Without ever sending an email from my Comcast address it's filled to capacity with SPAM. I suppose Comcast could have an open relay so that I can send mail from my email provider via Comcast, but with an open relay I'm back to square one.

    Long story short: your plan is lame.

    "ISP's like Comcast (better known to some as Comcrap or Crapcast) have, IMO, been far too lenient with irresponsible users who, through carelessness or sheer incompetence, allow their computer to be corrupted into a spammer abuse toy."

    You clearly don't have a handle on reality here. Do you know the sheer number of machines infected with worms? There are plenty of large corporations, managed by professional IT departments, who have chronic worm infections. My point is that your solution simply isn't feasible.

    Also, your statement that users "allow their computer to be corrupted" really blames the victim here. If anything, the software manufacturers should be held accountable for the defects they created, not the people who, in good faith, purchased the defective software.

    "Personally, I think it's time and past to piss off some subscribers. Maybe then they'll "get it" that THEY are responsible for harm their computer might cause, and act accordingly."

    Consumers are responsible for the defects in the products they purchase? WTF?
  • warble, on 10/12/2007, -0/+0Other ideas are disregarding the point:

    (1) Good point, email wasn't designed for HTML, nor was it designed for file transfer (That's called FTP folks) nor was it designed for a whole host of things it's commonly used for now. How about fixing your stupid client programs so that displaying an image isn't a problem. Honestly, I rarely (if ever) use HTML in my email, but once in a while it's nice to have some bold, or a bulleted list. And people like flash. Any common messaging protocol has to have rich text and image capabilities.

    Why you can launch executeable code from an image file is beyond me, obviously the image rendering library is completely broken. Fix that, don't remove useful features because you're too stupid to get them to work right.

    (2) Great, and further render email completely useless. Bad idea.

    (3) Wrong again. Don't use a browser that bends over like a 2 bit hooker anytime a script kiddie posts some javascript he pulled off his local warez site. Then your webmail will work better.

    (4) Wrong again, is this 4 times? Fix SMTP so that you know for sure who the sender is, then get a gang of your friends together and go out and drink beer and beat up spammers every friday night. That would be far more effective than blocking port 25. Again, fix the problem, don't remove the feature that's broken.

    Okay, so I'm grumpy, so don't take this too personally.
  • mercatfat, on 10/12/2007, -0/+0I've gotten maybe 10 unsolicited spam emails in my regular ol' Yahoo! inbox in three or four years, not counting the German ultra right-wing spam attack a year or two ago that took all filters by surprise.

    Even if it is possible to use this image exploit, I'd never know- they're all in my bulk mail.

    Webmail means ultimate convinience (if you don't have a laptop and/or wireless internet but a computer is accessable) and never having to worry about losing your contacts or mail. POP3 is much better for businesses, but a good webmail service usually wins for the home consumer.
  • jbreaux, on 10/12/2007, -4/+1someone needs to take action, all the laws in place are simply not working.
  • jinexile, on 10/12/2007, -8/+4The real fault lies in POP3 it's a protocol specification that was built by people that had no clue how large the internet was going to get. Unfortunatly they didn't think a whole lot about security and like the QWERTY keyboard it was useful in it's time but it has gotten very old and needs to be replaced but by doing so will cost billions of dollars, noone wants to bite that bullet so we continue trudging along.
  • Chompy, on 10/12/2007, -7/+2Due to the extreme difficulty of finding and shutting down spammers, they should be sentenced to death when caught. Let's face it, spammers are utterly worthless gutterslime lowlifes, and we'd all be better off if they were gone. I'm thinking that woud have a better deterrant effect than "oh, if they ever catch you, maybe you'll get 6 months in jail and a bunch of fines you don't really have to pay".

    Where's the disincentive to spam?
  • inactive, on 10/12/2007, -8/+2Everyone has an answer here but, I'm still getting spammed.......
  • Fetching more discussions...
    Show 51 - 53 of 53 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.