G
GB
Lex Hilton said:
We do now
You need a new set of friends, ones who don't bug their email,
and otherwise spy on their 'friends'...
(With fronds like these, who needs enemas?)
Yes, as it happens. Always keen for a challenge, I downloaded
a copy to see why it works. Wasn't much of a challenge, but then
that's a good thing I guess. All the 'best' 'technologies' are
simple at heart.
After a quick dig about, it seems that this MSGBOX thing works
like this:
Sender's End
------------
Installing on the 'Senders' machine runs through a common-or-
garden Windows install program, then invites the end user to
sign up for an 'account' with a MSGTAG server.
When you first say 'Yup, I wan't to sign up', it attempts a
connection to a server called 'logic.msgtag.com', POSTs 28
bytes of something (I didn't look at what) and gets a reply.
(Post: Interestingly, MSGTAG is happy to operate through HTTP
proxies at every step of the way, and making it work
through a 'Proxomitron' content stripping proxy actually
breaks this initial setup phase for MSGTAG)
If it's happy with the reply (plural actually) (which, amongst
other things, includes a png image of one of those "type the
letters in the picture" things, to prevent automated registrations,
it prompts for an email address (to send read reciepts to) and
a password.
Sending that lot checks to make sure that the email address
appears to be a real one, then invites you to receive their
spam (default: yes), and says "welcome!".
After the 'registration', it trawls around, finds your email
clients, and presents a list of your accounts, asking which
ones you want to use with MSGTAG.
I chose one of mine, and it reconfigured only the 'Outgoing
Mail' server to be 'localhost', and port '7362'.
As you've by now guessed, the crux of this MSGTAG thing is
in that it installs an SMTP Relay on the Sender's machine,
and reconfigures the mail client to use it.
The SMTP relay listens on 7362/tcp, and binds to all interfaces.
It accepts connections from other machines, but immediately
drops any connection from other than localhost. Watch this
space, that will get exploited sometime RSN.
Sending Email
-------------
When the end-user composes an email message, nothing changes.
They compose and send exactly as they always had done.
Their client sends to the local SMTP relay. The relay takes
the message, converts it to a Multipart MIME message if it
wasn't one already, and generates the typical one part plain
text, one part HTML message.
At the bottom of the HTML section, it inserts a single cell
table, something like this...
<p><table width="100%" bgcolor="#eeeeee"><tr><td width="100%">
<a href="http://msgtag.com/?source=ffooter"><img src="
http://img.msgtag.com/bD/mwrudtqrybpqqcdd/bi/Fpj/mx/uf/hvxi.gif"
border="0"></a> has notified the sender that this message has been
received.</td></tr></table><p></body></html>
(all on one line, remove my indent spaces if you're going to try it).
The <img src="http://img.msgtag.com/...> image is a classic 'web
bug', with identifying information specific to this individual
email.
Astute punters are, by now, realising that this is trivial to
defeat, in a range of different ways
Interestingly, apart from doctoring the MIME headers as required,
MSGTAG doesn't seem to alter the message headers at all. Similarly,
when it does it's SMTP relay thing, it doesn't identify itself
as being involved, it just echos back the real upstream SMTP
server's replies.
Victim (Receiver) End
---------------------
At the recipient end, end-user fires up his email client, receives
email, and views the bugged email. If his client is HTML enabled,
and has a current live connection to the net, it will, of course,
run off and download that image from img.msgtag.com.
I tested and, as one would expect, it is the downloading of the
image with the coded url that triggers the sending of the read
receipt.
Defeating (The real reason we're here)
--------------------------------------
There are, of course, several ways to break MSGTAG from the Victim's
point of view...
1) Edit /etc/hosts (c:\windows\system32\drivers\etc\hosts on NT/XP/2K),
(c:\window\hosts on 95/98/ME) (if 'hosts' doesn't exist, copy
'hosts.sam' to 'hosts' (making sure that it really is 'hosts' with
no extension, etc) or just create an empty file called 'hosts'
(make sure there's no .txt extension, etc)
put a line that reads:
127.0.0.1 img.msgtag.com
in the hosts file. (Note that this works equally well for
ads.icq.com in older versions of the official icq client (for
current version of ICQ Pro, replace the
\program files\icq\AteBrowser\123456\cache directory with an
empty, read-only file called 'cache' (no extension))
Restart things. When your mail client goes for the MSGTAG image
in the future, it will resolve 'img.msgtag.com' to localhost
(127.0.0.1) and try to receive the image from your own machine.
Since the image isn't there, it won't work. Elegantly simple.
Of course, there are numerous reasons why this, alone, might
not work. I've done this fiddling on a Windows box running
Internet Explorer, if you use another browser, your mileage
may vary (but the principles remain the same).
If your browser/mail client (in Windows, with IE and Outlook/
Outlook Express, the browser *IS* the mail client *is* the
Browser (thanks for nothing, US DOJ)) is configured to use a
proxy or a cache, it may refer the request for the MSGTAG
image off to the proxy/cache without ever referencing your
local /etc/hosts file.
Even turning on 'Bypass proxy server for local addresses'
didn't stop my browser/email client from loading the image.
In Internet Explorer, Tools -> Options -> Connections ->
LAN Settings -> Advanced -> Do not use proxy server for
addresses beginning with 'img.msgtag.com' fixed that little
problem.
If you're using dial-up straight from your Windows box,
the setting might be in Tools -> Options -> Connections ->
Dial-Up and VPN Settings -> <MY_ISP> -> Settings...
2) Tell your email client to ignore HTML content. As one poster
already suggested, telling the email client to ignore HTML
also, of course, works fine.
With Outlook Express 6, Tools -> Options -> Read ->
'Read all messages in plain text' does the trick. Sometimes
a restart is required to make it work, OE is wierd like
that. Also, since Microsoft made OE and that dodgy messaging
client 'Windows Messenger' one inseverable blob, exiting
OE doesn't mean exiting OE. With NT/2K/XP, ctrl-shift-esc,
find msimn.exe, and 'End Task'. Thanks again, for nothing,
go to the apparently toothless US Department of Justice.
3) Use a proxy to your advantage. Get an ad blocking (like
Guidescope) or content stripping (like Proxomitron) proxy
and use them to strip or otherwise munge the
http://img.msgtag.com/... request so that it doesn't happen,
or doesn't work.
The side bonus with one of these is that you get to browse
without ads and cookies and rubbish clouding the 'experience'.
Why MSGTAG doesn't work with Outlook/Exchange Combination
-------------------------------------------------------
Outlook (not Outlook Express) sending and receiving email through
a Microsoft Exchange server in a corporate environment doesn't
use SMTP to send emails, so the MSGTAG system doesn't work
with that (ie: you can't send emails tagged with MSGTAG 'bugs'
from Outlook/Exchange.
You can still be a 'victim' though. If someone working through
a conventional POP/IMAP/SMTP system sends you a bugged message,
your Outlook/Exchange setup will happily comply.
For future research
-------------------
It occurs to me that there are endless opportunities for invasion
of privacy, and collection of personal and personally identifying
information here. I spent less time testing this program than I
did writing this article, so I haven't looked into what the
MSGBOX SMTP relay sends upstream to msgbox.com servers, nor have
I looked at what the setup program communicates to logic.msgbox.com.
Most folks are smart enough to realise that collecting info and
doing other dodgy things is a one way trip to corporate obscurity
in/on today's internet, but if people as big as Microsoft are still
dumb enough to do it, then you can bet your bottom dollar that
the little people will, from time to time, be silly enough to
try it too.
Other interested parties may be interested to have a futher dig
at this bit of software, and the chattering that goes on behind
the scenes. I, for one, would be interested to know.
For now, I'm off to re-image and wipe-out the test box!
Hope this helps,
G