« Phishing for D'oh! | Main | More E-Marketing Lies »

December 05, 2005

Message Trick #9 in Spam Wars details how the long-time "Web beacon" scam works. In short, your email address (which is auto-inserted to the message's To: field or message envelope) is appended to a request to a (usually hidden) image. When your HTML-enabled email reader fetches the image from a Web server (even to show it in the Preview Pane), your email address is silently beamed to the spammer, verified as being live and active. Your freshly confirmed address becomes yet another asset that spammers will sell/trade, assuring you of further spam. It's your unwilling contribution to the spam economy.

Most modern email programs and some Web-based email sites offer an option to prevent the retrieval of images embedded in an email message. If a legitimate message includes one or more images, you can elect to download the images at your explicit request. I wholeheartedly endorse this setting if it's available to you (it's the default behavior of Gmail, for instance). If additional security choices are available to you in your email program—especially disabling ActiveX controls and JavaScript—I also strongly recommend that you opt to disable those things that simply don't belong in email messages (because Bad Guys can do terribly nasty things with them).

For the past couple of weeks, I've been closely monitoring what spammers are currently doing with JavaScript in messages. The reason I'm so interested in this (other than being a JavaScript junkie) is that one press report indicated that a majority of email usage is now through Web-based email. In other words, a ton of email users are reading and sending email through services such as hotmail, yahoo, Gmail, and Web-page-based services of other providers (e.g., Earthlink, Comcast, and so on).

Some of these Web-based email services are using JavaScript (in concert with some advanced capabilities built into modern browsers) to create pretty spiffy user interfaces. Instead of retrieving a complete (and complex) Web page at every click, only small bits of information come down the pipe, while scripting embedded in the Web page modifies portions of the screen. The result is a Web page that seems to work almost as quickly as a separate email program.

Unfortunately, this means that if you want to take advantage of the speedy interface, you must have JavaScript enabled for your email Web site. And that's where several instances of something I saw in spam message source code caught my attention: Instead of embedding the Web beacon stuff in an image request, the beacon data is added to a request to an external JavaScript file. It doesn't matter what (if anything) the server returns for these kinds of requests (image or script)—it's the request to the server that emits the beacon confirming your email address. Even if images are blocked, scripts are retrieved (because the email site, itself, does it).

You can block this kind of script access by disabling JavaScript (e.g., in Internet Explorer for Windows XP, go to the Tools/Internet Options menu, click on the Security tab, click on the Restricted sites icon and the Sites button. Then add the domain of your email site, such as "mail.google.com"), but then the snazzy interface is gone. You'll be back to the slow, one-pageful-per-click response you've grown to hate elsewhere (and in Gmail, you won't be able to edit your global settings).

Another head just popped up in the eternal antispam game of Whack-a-Mole.