This technique was known and discussed a year ago at http://www.tbtf.com.
At the time, I asked Jacob Palme to add a section the Security
Considerations of MHTML reagrding this and he did so.
<http://www.normos.org/ietf/rfc/rfc2557.txt>:
HTML-formatted messages can be used to investigate user behaviour,
for example to break anonymity, in ways which invade the privacy of
individuals. If you send a message with a inline link to an object
which is not itself included in the message, the recipients mailer or
browser may request that object through HTTP. The HTTP transaction
will then reveal who is reading the message. Example: A person who
wants to find out who is behind an anonymous user identity, or from
which workstation a user is reading his mail, can do this by sending
a message with an inline link and then observe from where this link
is used to request the object.
- dan
--
Daniel Kohn <mailto:dan(_at_)dankohn(_dot_)com>
tel:+1-425-519-7968 fax:+1-425-602-6223
http://www.dankohn.com
-----Original Message-----
From: Chris Newman [mailto:chris(_dot_)newman(_at_)innosoft(_dot_)com]
Sent: Tuesday, 1999-11-02 15:26
To: ietf-822(_at_)imc(_dot_)org
Subject: Re: html and active content.
--On Tuesday, October 19, 1999 10:49 -0400
Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
We have seen a number of attacks via e-mail that use text/html to carry
pointers to malicious code. We also had, many moons ago, a small war
regarding text/html versus application/html.
I recently heard about a rather large vendor of Tax software sending an
HTML message to customers which included an <IMG > tag pointing to
one-pixel transparent GIF with a user-id tag. This was used as an
involuntary read-receipt technique.
Incidently, I've decided not to use any mail client which renders non-local
content without asking first.
- Chris