C
Conrad Pfleging
IS there a question in there? Turn off preview pane if you're concerned
with that.
with that.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
K
Keith W. McCammon
Microsoft e-mail readers
The problem is with mail readers that display HTML messages, which are made
by companies other than MS.
Yes, this is a well-known tactic.
The solution is to display all messages in plain text. Pretty foolproof, if
you ask me.
The problem is with mail readers that display HTML messages, which are made
by companies other than MS.
Although some HTML content in e-mail is not viewed for security reasons,
images are fetched from their associated web servers when the e-mail is
previewed/viewed. This gives spammers an opportunity to detect that the
e-mail has been delivered and at least previewed.
Procedure is easy. Simply place an image with a known ID within the e-mail
you are sending and tell your web server to keep track of requested images
and record those IDs. This way one can track whether an e-mail has been
delivered or not.
Yes, this is a well-known tactic.
I would like to discuss this issue further with others. If possible e-mail
clients may be modified to view only embedded resources and leave out all
linked resources.
The solution is to display all messages in plain text. Pretty foolproof, if
you ask me.
C
Cagdas Ozgenc
Microsoft e-mail readers seem to give opportunity to spammers to detect that
the e-mail recipient, which is you, actually exists and know that you
recieve and view the e-mail they are sending to you.
Although some HTML content in e-mail is not viewed for security reasons,
images are fetched from their associated web servers when the e-mail is
previewed/viewed. This gives spammers an opportunity to detect that the
e-mail has been delivered and at least previewed.
Procedure is easy. Simply place an image with a known ID within the e-mail
you are sending and tell your web server to keep track of requested images
and record those IDs. This way one can track whether an e-mail has been
delivered or not.
I would like to discuss this issue further with others. If possible e-mail
clients may be modified to view only embedded resources and leave out all
linked resources.
Regards,
Cagdas Ozgenc
the e-mail recipient, which is you, actually exists and know that you
recieve and view the e-mail they are sending to you.
Although some HTML content in e-mail is not viewed for security reasons,
images are fetched from their associated web servers when the e-mail is
previewed/viewed. This gives spammers an opportunity to detect that the
e-mail has been delivered and at least previewed.
Procedure is easy. Simply place an image with a known ID within the e-mail
you are sending and tell your web server to keep track of requested images
and record those IDs. This way one can track whether an e-mail has been
delivered or not.
I would like to discuss this issue further with others. If possible e-mail
clients may be modified to view only embedded resources and leave out all
linked resources.
Regards,
Cagdas Ozgenc
R
Ricardo Oliveira
Sorry Conrad but I think Cagdas has a point.
Spammers shouldn't be allowed to track what people do with their e-mails. Of
course preview can be turned off and a firewall can be installed but I think
that's not the issue here.
Ricardo Oliveira
Spammers shouldn't be allowed to track what people do with their e-mails. Of
course preview can be turned off and a firewall can be installed but I think
that's not the issue here.
Ricardo Oliveira
W
whoever
The solution is to display all messages in plain text. Pretty
foolproof, if you ask me.
Displaying messages in plain text is a case of throwing the baby out with
the bath water. While I'm more than happy to view almost all my e-mail in
plain text, I would be far happier if IE allowed me the option of viewing
HTML e-mails without downloading "remote" elements. There are e-mails that
I receive (such as my frequent flyer statement) that use HTML tables to lay
out information that are simply unreadable in Plain text mode.
While the original poster is talking about something that has been well
known for a long time (and isn't, as you point out, unique to OE), he is
right to point out that the best solution to "web bugs" or "web beacons" is
to only display "local" resources. "Display as Plain Text" happens to
achieve the same end (though that's not it's primary purpose), but it
destroys the useful parts of HTML e-mail as well as the harmful parts.
K
Keith W. McCammon
Sorry Conrad but I think Cagdas has a point.
There isn't really any issue. If you don't want the chance active content
being activated within e-mails, you should read e-mails in plain text.
That'll solve your problem.
Spammers shouldn't be allowed to track what people do with their e-mails. Of
course preview can be turned off and a firewall can be installed but I think
that's not the issue here.
There isn't really any issue. If you don't want the chance active content
being activated within e-mails, you should read e-mails in plain text.
That'll solve your problem.
K
Keith W. McCammon
While the original poster is talking about something that has been well
Two schools of thought, I suppose...
In my opinion, if you want to send someone a web page, you should e-mail
them a URL. Period. You can try to get "fancy" and distinguish between
imbedded and remote content, but you're still opening yourself up to risk.
Remember, as hard as you work to beat their tracking mechanisms, they're
working just as hard to defeat your safeguards.
known for a long time (and isn't, as you point out, unique to OE), he is
right to point out that the best solution to "web bugs" or "web beacons" is
to only display "local" resources. "Display as Plain Text" happens to
achieve the same end (though that's not it's primary purpose), but it
destroys the useful parts of HTML e-mail as well as the harmful parts.
Two schools of thought, I suppose...
In my opinion, if you want to send someone a web page, you should e-mail
them a URL. Period. You can try to get "fancy" and distinguish between
imbedded and remote content, but you're still opening yourself up to risk.
Remember, as hard as you work to beat their tracking mechanisms, they're
working just as hard to defeat your safeguards.
R
Ricardo Oliveira
I have to agree with you. But I guess that many users aren't aware of that
and use the fancy html format with previews. Spammers are just taking
advantage of people and that's unfair. Spamming is illegal!
and use the fancy html format with previews. Spammers are just taking
advantage of people and that's unfair. Spamming is illegal!
W
whoever
In my opinion, if you want to send someone a web page, you should
e-mail them a URL.
And I specifically provided an example that wasn't a web page. (Columnar
data laid out using HTML tables). Since mail clients like OE default to
displaying plain text mail in proportional fonts, the old solution of just
lining up columns of data no longer works for most e-mail message. The text
layout functions of HTML, and even the colour, size and font abilities
would be useful to have in e-mail, if they didn't come with a load of
extraneous baggage.
Period. You can try to get "fancy" and
distinguish between imbedded and remote content, but you're still
opening yourself up to risk.
There's nothing "fancy" about ignoring http:// sourced objects. OE already
has the option to run in a seperate Security context, they just need to
manage decisions about displaying images in the security context, rather
than as a general setting.
Remember, as hard as you work to beat
their tracking mechanisms, they're working just as hard to defeat your
safeguards.
That applies to the "plain text" solution too - it's certainly not an
argument against supporting HTML formatting.
A
Alaa Abdelhalim [MSFT]
The feature you requested is part of Outlook 2003. By default, html-linked
resources are not followed anymore unless the user opts to download them for
a specific message or changes the global option to always download them.
Check out the BETA if you're interested.
I believe this is being/going to be done in the latest versions of other
products/services as well.
resources are not followed anymore unless the user opts to download them for
a specific message or changes the global option to always download them.
Check out the BETA if you're interested.
I believe this is being/going to be done in the latest versions of other
products/services as well.
R
Robert Moir
Conrad said:IS there a question in there? Turn off preview pane if you're
concerned with that.
Thats nice but the first time you do view one of the emails that carry
web-bugs, maybe the name fooled you, maybe you double clicked by accident,
you get hit.
Cagdas has a very valid point - this is a weakness in the current MS email
platforms, and while its going to be addressed properly in the next version
of Outlook, for now its a real problem caused by a real weakness in the
platform.
R
Robert Moir
whoever wrote:
Have to say I haven't thought about it this way myself but thats mostly
because I don't think there is such a thing as "useful HTML e-mail"
personally.
Displaying messages in plain text is a case of throwing the baby out
with the bath water. While I'm more than happy to view almost all my
e-mail in plain text, I would be far happier if IE allowed me the
option of viewing HTML e-mails without downloading "remote" elements.
There are e-mails that I receive (such as my frequent flyer
statement) that use HTML tables to lay out information that are
simply unreadable in Plain text mode.
While the original poster is talking about something that has been
well known for a long time (and isn't, as you point out, unique to
OE), he is right to point out that the best solution to "web bugs" or
"web beacons" is to only display "local" resources. "Display as Plain
Text" happens to achieve the same end (though that's not it's primary
purpose), but it destroys the useful parts of HTML e-mail as well as
the harmful parts.
Have to say I haven't thought about it this way myself but thats mostly
because I don't think there is such a thing as "useful HTML e-mail"
personally.
W
whoever
Have to say I haven't thought about it this way myself but thats mostly
because I don't think there is such a thing as "useful HTML e-mail"
personally.
I tend to agree with you, but since mail clients started to default to
proportional fonts, instead of fixed width fonts, there is no way to
reliably display columns of data in plain text e-mail. If I could have HTML
layout without images, I'd probably leave HTML enabled in my mail client,
(even though I only send plain text, and convert HTML to plain text when I
reply), because once I delete the spam, which I have to do anyway, the only
HTML formatted mail left is stuff that I'm happy enough to read in HTML
format.
J
Jim Pickering
whoever said:I tend to agree with you, but since mail clients started to default to
proportional fonts, instead of fixed width fonts, there is no way to
reliably display columns of data in plain text e-mail. If I could have
HTML layout without images, I'd probably leave HTML enabled in my mail
client, (even though I only send plain text, and convert HTML to plain
text when I reply), because once I delete the spam, which I have to do
anyway, the only HTML formatted mail left is stuff that I'm happy enough
to read in HTML format.
Try setting a fixed width font in the Proportional Font list. Open OE,
click Tools/Options/Read/Fonts button and insert the Fixed Width font of
your choice in the Proportional box. Should fix the problem in reading a
Plain Text message. Many people use Courier (new) in both boxes w/o
problem.
M
mikey
Outpost firewall from Agnitum is the only firewall I have seen that prevents this type of phone back home.
setting the rules for OE to be a news/mail client, it is not allowed to send this acknowledgement.
(e-mail address removed)
Microsoft e-mail readers seem to give opportunity to spammers to detect that
the e-mail recipient, which is you, actually exists and know that you
recieve and view the e-mail they are sending to you.
Although some HTML content in e-mail is not viewed for security reasons,
images are fetched from their associated web servers when the e-mail is
previewed/viewed. This gives spammers an opportunity to detect that the
e-mail has been delivered and at least previewed.
Procedure is easy. Simply place an image with a known ID within the e-mail
you are sending and tell your web server to keep track of requested images
and record those IDs. This way one can track whether an e-mail has been
delivered or not.
I would like to discuss this issue further with others. If possible e-mail
clients may be modified to view only embedded resources and leave out all
linked resources.
Regards,
Cagdas Ozgenc
setting the rules for OE to be a news/mail client, it is not allowed to send this acknowledgement.
(e-mail address removed)
Microsoft e-mail readers seem to give opportunity to spammers to detect that
the e-mail recipient, which is you, actually exists and know that you
recieve and view the e-mail they are sending to you.
Although some HTML content in e-mail is not viewed for security reasons,
images are fetched from their associated web servers when the e-mail is
previewed/viewed. This gives spammers an opportunity to detect that the
e-mail has been delivered and at least previewed.
Procedure is easy. Simply place an image with a known ID within the e-mail
you are sending and tell your web server to keep track of requested images
and record those IDs. This way one can track whether an e-mail has been
delivered or not.
I would like to discuss this issue further with others. If possible e-mail
clients may be modified to view only embedded resources and leave out all
linked resources.
Regards,
Cagdas Ozgenc
J
Jim Pickering
whoever said:I know how to do that, Jim (in fact, I might even have been the first
person to post that method in these newsgroups).
Could be, although I remember Tom Koch posting it several years ago and I
believe it was on one of Eric Miller's tips for IMN and OE4. But I often
forget who posted what first, and it seems rather unimportant. I think
using Tables would be the way to go, but there are those who not only hate
the use of HTML but also hate tables equally as much. One can go round the
bend trying to find something that pleases all and that may be why we still
have so many problems with OE. It's been said a camel is a horse designed
by a committee and I think OE is something of a "camel" also suffering from
the same problem.
Best regards.
Jim Pickering
S
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
IMHO this is a moot argument since this feature is native to Outlook 2003. 2k3
blocks external pulls so that the sender won't realize you are a valid address
even with preview pane turned on.
But mark my words, people will want to turn on the html to see the pictures in
their email.....
blocks external pulls so that the sender won't realize you are a valid address
even with preview pane turned on.
But mark my words, people will want to turn on the html to see the pictures in
their email.....
E
|{evin
Have to say I haven't thought about it this way myself but thats mostly
because I don't think there is such a thing as "useful HTML e-mail"
personally.
Amen to THAT!
K
Kent W. England [MVP]
They are called web bugs. "Read messages in plain text" is an option if
you upgrade your OE.
you upgrade your OE.
J
Jeff Cochran
Displaying messages in plain text is a case of throwing the baby out with
1) Download mail
2) Disconnect from internet
3) Read mail
Except that legitimate mail may have the same links to external
images. Wouldn't stopping the SPAM be more productive? If you're
that worried, use a throwaway account to read your mail.
Jeff
the bath water. While I'm more than happy to view almost all my e-mail in
plain text, I would be far happier if IE allowed me the option of viewing
HTML e-mails without downloading "remote" elements.
1) Download mail
2) Disconnect from internet
3) Read mail
While the original poster is talking about something that has been well
known for a long time (and isn't, as you point out, unique to OE), he is
right to point out that the best solution to "web bugs" or "web beacons" is
to only display "local" resources. "Display as Plain Text" happens to
achieve the same end (though that's not it's primary purpose), but it
destroys the useful parts of HTML e-mail as well as the harmful parts.
Except that legitimate mail may have the same links to external
images. Wouldn't stopping the SPAM be more productive? If you're
that worried, use a throwaway account to read your mail.
Jeff