Major Privacy Issue with Spam Email
This note outlines a major privacy issue with Spam email that affects people with permanent, "always on", Internet connections.
Suppose your name is Tom Karman and you live in Podunk, MD and work at a small company called Smallco. At work you have a direct connection to the Internet. At home you also have a permanent connection through a cable modem or DSL service. Your work email address is something like T.Karman@smallco.com or perhaps just email@example.com. At home your email address might be something like Tom.Karman@comcast.net.
At work your desktop computer has its own Internet address which might be something like 220.127.116.11 corresponding to a host name of: "tomsdesktop.smallco.com".
At home, your home computer with high-speed access probably has a permanently or semi-permanently assigned Internet address and corresponding host name like "pcp0241627.podunk.md.comcast.net". Dial-up users get a new Internet address and host name from a "pool" each time they connect.
The email system was designed before anybody even thought of spam and works by means of "conversations" between computers handling the mail. The conversation between the spammer's computer and your email server computer can go something like this:
Spammer: "Hello smallco.com"
Smallco: "Hello spammer this is smallco.com"
Spammer: "Verify user tom"
Smallco: "User tom verified Tom Karman <firstname.lastname@example.org>"
Spammer: "Verify user joe"
Smallco: "User joe unknown user"
Notice that Smallco's mail server not only verified your email address but gave out your full name! The conversation is so brief that the spammer's computer can try thousands of random names until it gets a hit, even tom23 or bill17. Some mail servers don't give out full names. Larger service providers often have more sophisticated methods for blocking this type of spammer attack. If your email address is used by you or anybody else on a web site or in a newsgroup posting the spammer can obtain your address without interrogating your mail server.
Now a porn site operator or other spammer sends you a spam email which has pictures, graphics, or even hidden graphics. Spammers don't generally send the graphics as part of the email message because graphics need a lot of bandwidth and many of the email addresses in the spammer's list of millions of addresses are not actually checked. Instead, the spammer's email contains "HTML" codes which cause the user's email program to download the graphic files from the spammer's web site only when the email message is viewed. In the process the user's email address is communicated to the spammer's web site. Technically, this is done by using an HTML statement in the spam email message like:
The long random looking string of characters in the image URL is actually an encoded version of the user's email address. When any file is requested from a web site, the Internet address of the requesting computer is sent to the web site server. The spammer's computer can now relate your email address to your computer's address. They can add to a database the information that "pcp0241627.podunk.md.comcast.net" is Tom.Karman@comcast.net. If you or anyone with access to your computer ever opened an email from the spammer, they could have this correlation and also verification that the email address is a "live one". If you or anyone with access to your computer accesses the spammer's web site, the spammer can build a database of the type of material accessed. They can track what you access in terms of your email address and maybe your full name. They can determine when (to the second) you accessed a page and how long you spent looking at a page. Spammers frequently use misleading Subject, From, and To lines in spam messages in an effort to get users to open spam emails that they wouldn't normally open. If you use an email program like Eudora which has a "preview pane" then as you drag a spam message to the trash bin it is actually being opened in the preview window and your information is being sent to the spammer.
It gets worse. How many Tom Karmans are there in Podunk, MD. The spammer can do an automated white pages search in an effort to relate your email address and town name to your street address. You can readily imagine what kind of mail you might get if anyone using your computer ever accessed the "busty babes" page. Spammers can sell this data to other spammers who could then track your access to their sites even though you never opened a spam message from that particular spammer.
This problem can be largely eliminated at your company if the company uses a proxy server for accessing web pages outside the company. Such a proxy server makes it look like all accesses to web sites outside the company are coming from a single company Internet address, something like proxy.smallco.com. The proxy server can also attempt to block access to porn sites by employees. This is considered mandatory by most companies because otherwise employees can sue the company on the grounds that the company did not take reasonable steps to prevent sexual harassment resulting from employees accidentally viewing porn sites being accessed by other employees. (Other obvious reasons for blocking employee access to porn sites are also valid.) Some companies do not provide permanent access from each desktop machine but require users to log on to the Internet at least daily and rotate pool Internet addresses at each logon.
If you access web sites using your high-speed connection but through AOL, AOL assigns you a pool proxy address only for the duration of your connection to AOL.
If you use a permanent Internet address to access the web the following might help:
You might want to consider disabling the preview window in your email program.
You might want to consider using an email address that cannot be readily related to your name.
Check to make sure your company mail server does not give out your full name in response to a computer query.
If you are interested in determining what Internet address (host name) has been assigned to your computer, point your browser at:
Your host name is given as: REMOTE_HOST.
Your computer's corresponding numerical Internet address is given as: REMOTE_ADDR.
Copyright 2003 Azinet LLC