Spammers Using Embedded Images
Results 1 to 10 of 10

Thread: Spammers Using Embedded Images

  1. #1
    Junior Member
    Join Date
    Aug 2004
    Posts
    14

    Spammers Using Embedded Images

    I noticed alot of the mail clients are now turning off embedded images by default for viewing emails.

    I was curious if the problem was the images had emedded URL variables that gave away your email address?

    IE: <img src="myimage.jpg?email=youremailaddress">

    or is it just simply them being able to get your IP info once the image loads on their server?

    I like having images displayed in my email client and I don't really care if my proxy IP is given away, but I would care more if they could harvest my email addy as being valid from displaying the image...

    thanks all!
    ~jim~

  2. #2

  3. #3
    Junior Member
    Join Date
    Aug 2004
    Posts
    14
    just read the thread, thanks
    I see it just mentions getting the persons IP addy... how about my example on using url tags to get the email address?
    ~jim~

  4. #4
    When they send you an email, they already have your email address. It's just a matter of confirming that you open and read their emails which makes you a target for them. If you read their emails, you are more likely to buy viagra.

    Before I spam you, I would have to craft the email to include a tag like
    <img src="Yourbuglocation.php?email=youremail@email.com"?>

    They would then have your IP, and "proof" that you opened the email. You can also get an IP by watching requests on your webserver, but using php will give you an email, an IP, and a way to put it in email notification like my tutorial, or you could stick it in a DB which is more likely on the spammer end.

  5. #5
    Junior Member
    Join Date
    Aug 2004
    Posts
    14
    right I know they already have my email address but a confirmed email address is twice as bad

    if my address is confirmed I get 20X more junk mail so I was just curious if it was possible to use the tactic of embedding the email address in the IMG src tag

    your link makes sense.. all I'd have to do was display an email from my php script and I'd have confirmation of the email address.

    instead of blocking images all together couldn't it just be done by not displaying images without ending .jpg or gif extensions? and not allowing any characters after the .jpg or .gif
    ~jim~

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421

    Re: Spammers Using Embedded Images

    Originally posted here by cobain_attacks
    I noticed alot of the mail clients are now turning off embedded images by default for viewing emails.

    I was curious if the problem was the images had emedded URL variables that gave away your email address?

    IE: <img src="myimage.jpg?email=youremailaddress">

    or is it just simply them being able to get your IP info once the image loads on their server?

    I like having images displayed in my email client and I don't really care if my proxy IP is given away, but I would care more if they could harvest my email addy as being valid from displaying the image...

    thanks all!
    Do yourself a favor and just turn off HTML email.
    HTML email offers little value compared to the potential problems it can cause. IMO

    I have seen spam software packages that will dynamically generate small temporary images AT URL's assocaited with each message sent. Simply viewing the image in a SPAM message will both verify the email address was good for future mailings, and provide tracking information like success rate info to the SPAMMERS customers. BASTARDS!!

  7. #7
    Junior Member
    Join Date
    Aug 2004
    Posts
    14
    I actually spaced out and didn't even think of using a .php or .asp script as the img src tag
    you could easily verify email address that way.

    my yahoo junk mail folder is out of hand at this point like 5,000 every few days
    ~jim~

  8. #8
    A server can be configured to use php tags in any extension, so a .jpg can actually contain php script I believe, if the server was configured right which spammers would obviously do.

    Just from a security perspective, disabling all scripting is a good idea. It will prevent all html from being run, therefore you won't load any code in the email, and prevent any bugs in the process.

  9. #9
    Junior Member
    Join Date
    Aug 2004
    Posts
    14
    another good point Soda, you can create custom script tags in IIS and Apache

    there goes my mail client consulting career. lol

    *turns off images
    ~jim~

  10. #10
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    Well SP2 for XP turned off images in Outlook Express (finally!!!)
    Also other security has been added.....
    I still think there is issues with their new firewall
    but time will tell....
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •