Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Oh, O(prah)! | Main | Ouch! (Know Your Spamming Affiliate) »

August 10, 2005

Web Beacons: Alive and Unwelcome

Spam Wars readers know all about Web beacons or Web bugs—email message inclusions that download zero-sized images, passing your email address along the way, thus confirming that your email address is active. Every once in awhile, I'll read some article proclaiming that the technique isn't used much anymore.


Scanning through my server's Suspects bin, I encountered this little gem, whose only goal is to get its recipient to open the message in an HTML-capable email program (i.e., most standalone email programs and Web mail pages), and thus confirm the recipient's address. The Subject: line of the one I received is:

Subject: dannygWho are you

The miscreant putting together the template didn't think to include a space between the email address user name and the "Who are you" part. But imagine seeing this in your email inbox with your email account user name at the beginning. Would you open it to see what it's about? Unfortunately, I believe most would do so, especially those who don't follow Spam Wars guidelines for email safety.

If you were to open the message in your email program, the message body would read exactly the same as the Subject: line (including the space mistake). That's all you would see. You'd be puzzled. Perhaps even a little frightened. The From: field just has seven "w"s in a row, followed by an email address you wouldn't recognize (it's non-working, as well).

What the recipient doesn't see is that the HTML of the message includes a tag that downloads an image. The specifications for the image set the size at zero height and width, meaning that it will be invisible. But don't worry...you're not missing anything because the URL for the image won't download anything worth seeing. The heart of what's going on here is in the URL, itself. After the Web address of the server (in the numeric IP address format pointing to a location in China) are identifiers for both the recipient's email address and the affiliate who caused the spam to be sent (the second identifier could also label the particular campaign being used for this mailing).

By opening—or even just previewing—the message, you've confirmed your address to a spamming group. That address becomes a valuable asset that gets sold to other spammers. Here's your reward: Expect to see more spam in the weeks and months ahead.

Oh, and this isn't a Windows-only deal, like most of the spyware running around. If the email program is capable of rendering HTML (like a Web browser), you are susceptible to this venerable trick. Even if you use Web mail at an Internet cafe on someone else's computer, it's still your address that gets confirmed.

Fortunately, more and more email programs offer a preference setting that lets you turn off automatic downloading of images (and other types of downloadable HTML stuff) in email messages. Instead, you can see the text, with placeholders for the images. If you want to download the images, you can click on a button. I was pleasantly surprised to see this blockade turned on by default when I upgraded to the current version of my email program.

Alas, I fear that the social engineering occurring in this "Who are you" message will trick even careful users into downloading the bogus image. If they had taken further precautions (as I detail in Spam Wars), they would have seen the trick being perpetrated, and walked, if not run, away from this message without doing any damage.

Please, please protect yourself, and don't give the spammers the satisfaction of knowing your email address is alive and well.

Posted on August 10, 2005 at 08:19 AM