(As published in Risks Digest Volume 21: Issue 5)Summary: Unseen things in HTML mail may trigger HTTP censorware.
First, the data points:
- Many workplaces, including mine, have HTML-"enabled" mail software on the desktop.
- Many workplaces (though not as many), including mine, make use of HTTP proxy "censorware" to catch employees trying to access "bad" sites (porn, hate sites, hacking sites, etc).
- Those sites, like many others, tend to use 1x1 GIFs for spacing and the like.
- Users who read HTML mail rarely view the source.
It is extremely trivial to concoct an HTML mail message containing IMG SRC calls to (near-)invisible 1x1 images, or other more damning images scaled to 1x1, from any number of "banned" sites.
If such a message is received and opened by someone with an HTML mail reader, they will probably generate HTTP requests to those sites, which would be blocked/logged by proxy censorware.
Thus, a prankster, BOFH, or anyone bent on malice can pull off a "joe job" by sending e-mail to such a recipient. The e-mail might appear to be totally innocent based on its content, or might even be disguised as spam, with forged headers and other junk.
It doesn't matter, really, as long as the recipient's mailreader generates the HTTP requests for those files. Enough entries in the censorware log over a period of time, and someone's bound to start asking questions.
Of course, the HTTP requests are for individual files, not pages. But if the proxy is _blocking_ requests to "banned" sites (ours is), no pages could be accessed anyway, so all log entries would be of an individual-file nature. These are just blocked requests for images, rather than blocked requests for HTML files.
(As a side note, if someone were ideologically opposed to the use of censorware, sending this sort of message to a large number of users behind such a proxy, including those parties charged with administering the proxy, would seem to be a fitting form of protest.)