[NTLK] [OT] Single pixel spies and scumware (was Re:Did anyone else get this?)

From: Sunder (sunder_at_sunder.net)
Date: Sun Oct 13 2002 - 06:25:47 EDT


Single pixel spies are exactly what the name implies. They're often sent
along within HTML emails as an IMG tag. This instructs your mail program
to go out and download and image off the spammer's server, but that image
isn't just an image. It's name has meaning to the spammer - it
effectively contains your email address or something that can be linked
to your email address.

Then, at the end of the day, the spammer goes and looks through their logs
and lo and behold, all of those logs for those one pixel images are now
"Verified, Valid Email addresses" which can be sold to others by using
spam that advertises the spammer's service, and is guaratneed to receive
future spam. I'm sure you've received spam that pushes spam i.e. "Tell
billion valid email addresses, no better way to advertise, it really
works, etc."

It's not that the spammer has millions of images, but rather that they use
CGI scripts or other back end server stuff to return the 1 pixel by 1
pixel GIF file back to your mail reader/web browser. They usually use
GIF's, because the GIF89 specification has an option where certain colors
can be marked as "transparent" (they're not really colors, they're just a
marker that say, show the background under this image, not a pixel) so
that the 1 pixel by 1 pixel image is really invisible - until you take a
look at the HTML source code of the email.

For example, a normal image tag might look like this:

<IMG SRC="http://www.sunder.net/icon-lisa2b.gif">

And this would go and fetch the same image for everyone, but you'd have no
way to get the email address of the guy viewing it (unless your web
browser is evil enough to send it on your behlaf!)

One of the spam single pixel spies might call some cgi program and could
look like this

<IMG SRC="fyzycyst_at_comcast.net">http://127.0.0.1/cgi-bin/pixelspy?victim=fyzycyst_at_comcast.net">

Most of the time that email address is encoded so it doesn't stand out, or
a number is used as an index to a database record on their end, etc, so it
might look like this:

<IMG SRC="http://127.0.0.1/cgi-bin/pixelspy?victim=152236">

So yes, the simple act of just reading (or previewing) a spam under a
modern mail program that honors HTML and especially images, will guarantee
reception of future spam. This is why I still read my email from under
unix in text mode. No chance for IMG tags to execute. Ever. :)

Even more fun, if you're dumb enough to "opt out" you've just subscribed
to other spams. Yes, you've opted out of receiving spams from that
particular advertiser, but nothing stops him/or her from selling your
email address to different advertisers.

(Alternately, sometimes they include instructions in javascript or a
refresh tag in the email that tell your computer to go and open some web
page, so that the spam itself can be very small and faster to send out,
but the principle is the same, the email contains some marker or refrence
to your email address and relays the fact that you've read the email to
the spammer's servers.)

Even more fun, places like DoubleClick and the like have extensive
"networks" (the advertising version of the term network, not just network
as in computer network), where if you by some chance have cookies enabled,
and you enter in your email address (or any other information) to just a
single one of these websites, DoubleClick knows about it and shares it
with every other member of it's network. It effectively brands that
computer as belonging to you. So each time you visit any of their
"affiliate" network web sites, each of those will now know who you are and
what your interests are based on your previous web visits to other
affiliate sites, plus your purchases, etc.

If you log in to one of those affiliates from another computer or
different browser, then double click's cookies link this to all the
other information they have on you, so it really does follow you
around.

There was quite a bit of controversy circling them a while back. Google's
your friend for better details on this.

Even more evil. Some scumware authors actually exploit bugs in web
browsers much like hackers breaking in to servers:

For instance, there's some hole in old versions of Internet Explorer's
Java implementation where if you vist a specially crafted web page, it
will install scumware on your machine that will purposefully expose you to
more ads. A great example of this is if you see pages from "traffic4sure"
and "search-explorer" as well as lots of porn pages start popping up all
of a sudden, and coming back the next day or the day after when you're
visiting sites that you've never seen this happen from... That means
you're already infected by this.

Luckily this is just an HTML and registry entry that does all this by
changing IE's search and plug in bar, but it could have easily been
installing viruses and more insidious malware such as back door software
(i.e. a modified version of VNC or BackOrifice) that would allow the owner
of the evil web site to take over your machine, or software that tries to
steal information of your machine for instance from Microsoft Money or
Quicken, or watch for you to enter a credit card number and expiration.
(Credit cards are easy to detect because they're 4 groups of four numbers
where the 1st digit usually starts with 4,5 for Visa and MC and have a
MOD10 checksum, expirations are dates, also easy to parse.)

Other less evil, but scumware nonetheless are things like Bonsai Buddy and
Comet Cursor that spy on you - and of course the scumware installed in
Kaaza that spy on you. (I've already mentioned Search Explorer, yes,
don't install their "bar")

So far I've not heard of the Google search bar as being scumware, so that
seems to be safe, though I could be wrong.

The best way to stop most of this crap is to get a host based
firewall. Things like ZoneAlarm and Norton's personal firewall - whatever
it's called. Basically you want cookie management, and ad blocking
features, but even so it's not automatic, you still have to tell these
programs what's a banner ad and what's not. The beauty of these firewall
programs is that they tell you when an application is trying to connect to
the internet, so you can chose to block it. So if you've got a trojan
installed, this will help you catch it when you see unexpected network
traffic.

But this isn't foolproof because things that become part of Internet
Exploiter for instance won't tell your firewall they're scumware, they'll
look like legitimate requests to access web sites by your web
browser. Still it's better than nothing.

Now that you've had a nice quick introduction to the world of SCUMWARE,
let's get back to Netwons. :)

----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\
  \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\
<--*-->:Instead of rewarding|monitor, or under your keyboard, you \/|\/
  /|\ :their failures, we |don't email them, or put them on a web \|/
 + v + :should get refunds! |site, and you must change them very often.
--------_sunder_@_sunder_._net_------- http://www.sunder.net ------------

On Sun, 13 Oct 2002, Glen Warner wrote:

>
> "Eric L. Strobel" <fyzycyst_at_comcast.net> wrote:
>
> (*snip*)
>
> > Personally, I disable that just so those annoying single pixel
> graphics
> > that act as 'spys' don't have a chance.
>
> Hmm ... what's this? Could you elaborate a bit ...?
>
> --gdw
>
> > - Eric.
>
>
>
> --
> Read the List FAQ/Etiquette: http://www.newtontalk.net/faq.html
> Read the Newton FAQ: http://www.chuma.org/newton/faq/
> This is the NewtonTalk mailing list - http://www.newtontalk.net/
>
>

-- 
Read the List FAQ/Etiquette: http://www.newtontalk.net/faq.html
Read the Newton FAQ: http://www.chuma.org/newton/faq/
This is the NewtonTalk mailing list - http://www.newtontalk.net/



This archive was generated by hypermail 2.1.2 : Thu Oct 31 2002 - 12:02:39 EST