|
I
agree with Ron. MSN, Excite, and all the web-based email guys (and gals)
wrestled with this problem for about
2
weeks about 2 or 3 years ago. The only way to fix this properly would be
to strip certain javascript code on the
server-side (i.e. IPSwitch work). Client-side message
scrubbing is a pretty nasty business. You can be
messing
with
the perfect RegExp for the next year and still not catch all the different ways
to get javascript to run. You also
don't
want to scrub too much out. This was the big whammy for MSN. They
had this annoying (but profitable)
practice of sending HTML/JavaScript emails of their promotions. If
they killed the JavaScript or the HTML, they
lose a
marketing tool.
So (as
I understand it), Microsoft et al. created a filter every time a new hack was
discovered. These filters were
also
different depending on the email's source. For example, certain tags were
allowed when say, Dell.com, sent
you
some spam, but disallowed the same tags if I forwarded the same message from
Dell through my server.
To
further illustrate Ron's point on the complex programming that needs to go the
server-side (and because I
love
beating dead horses), removing <script></script> areas isn't going
to be enough. For example:
<img src="javascript:void(0);" >
I'm
not sure about the exact syntax (objects is something else), but this would
basically go through all the
DOM
objects on the email page and make it so that any click on the page results in a
redirect to the fake
login
page. If you add a "parent." somewhere in there, you can make all the menu
items in the parent
frames
do the same thing. I guess my point is that this is a real pain in the
patootie to fix as there are
literally a hundred ways to grab username/passwords this
way.
I
couldn't find the exact articles, but here's some about the Hotmail
breaches.
To
address Ron's suggestion on trying to load up the message in the header... I've
tried that and the XML
pre-processing route. No joy. Either it's not possible or I'm
too stupid. It's pretty much an exercise in
futility. One that I'm not getting paid for either... and I love
getting paid for futile exercises.
It is frustrating
that there are only a few tags to work
with, but at the same time I have to admit that iMail
is
much
LESS frustrating than the alternatives (MS Exchange for one).
In fact, IMHO, I very much prefer programming
against iMail than against MSE or the now defunct
Software.com PostOffice. For now,
I'm working on a
very convoluted (and very slow)
ASP/XML/COM/iMail web interface. Until that's done, I'm going to try
just
using
the <!--IMAIL.MessageBodyPlain--> tag and disabling
all HTML. Will let you know how it
goes... if I
live that long.
-Norm
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ron Hornbaker Sent: Saturday, March 16, 2002 9:38 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... It would
take more than a checkbox, of course. The programming logic behind it is
significantly complex. It's easy to strip <script> tags. But JavaScript
can be embedded in almost any object in the W3C DOM, and triggered in a
multitude of ways. Consider, for example, that Ipswitch's programmers would have
to build a huge regular expression to catch literally every event trigger (like
onSelectStart, onBeforeLoad, onUnload, onError, etc. etc.) that can be embedded
in normal objects, and strip them out along with their script parameters. Such a
parse could prove to be prohibitively cpu expensive. The easy way out is to just
strip all tags server-side, and display the message as plain-text. That's what
the option should be.
Something
worth playing with (you listening Norm?) would be JavaScript in the header of
readmail.html that would *catch* all events that happen during the load of the
page or load of images, and return false. Might be possible. But you'll always
be playing catch up with the multitudes of crackers and script kiddi3s that can
easily stay a step ahead.
-Ron
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joshua Levitsky Sent: Saturday, March 16, 2002 9:07 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...
|
- RE: [IMail Forum] Problem W... John Tolmachoff
- RE: [IMail Forum] Problem W... Norman J. Nolasco
- Re: [IMail Forum] Problem W... Smart Business Lists
- RE: [IMail Forum] Problem W... Norman J. Nolasco
- [IMail Forum] off topic question - Traffic Tom
- Re: [IMail Forum] off topic question - T... dave marchette
- Re: [IMail Forum] Old Hack on Hotmail seems to work o... Joshua Levitsky
- RE: [IMail Forum] Old Hack on Hotmail seems to w... Ron Hornbaker
- Re: [IMail Forum] Old Hack on Hotmail seems ... Joshua Levitsky
- RE: [IMail Forum] Old Hack on Hotmail se... Ron Hornbaker
- Norman J. Nolasco
