[CLUE-Tech] RE: OT Funky E-Mail Messages - Possible e-mail exploit?

Paul Bille Paul at eBille.cudenver.edu
Fri Oct 18 19:33:16 MDT 2002 

Joe > "written in web-based html mail.  The message included . . . <img
src="cid:X.MA512867824 at aol.com" id="MA512867824"  etc.

Joe,

Thanks for doing the research.  I'm embarrassed because I didn't
recognize the "cid" protocol used here.  I'm not too proud to admit my
shortcomings and seek help from my peers.  

I've done some research also.  Here's what I found.  The "cid"
(Content-ID) protocol is described in RFC2111.  Excerpt:

   "The use of [MIME] within email to convey Web pages and their
   associated images requires a URL scheme to permit the HTML to refer
   to the images or other data included in the message.  The Content-ID
   Uniform Resource Locator, "cid:", serves that purpose."

It appears the messages I'm getting are multipart messages.  The
Content-ID URL points to an element embedded in the message which may or
may not have been stripped.  Does anyone out there know how to dissect a
multipart e-mail message?  . . . how to locate the raw message in an
Outlook file?

The html code
<iframe src=cid:J5X496Ef2Vs0 height=0 width=0>
Is intended to load an element which I presume to be an executable.  The
height and width of the iframe are both zero which indicates to me that
the author doesn't want the reader to see anything.  

There appear to be no attachments to the message.  I saved the message
and all I see is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY><B>From:</B> smiley5646 [smiley5646 at aol.com]<BR><B>Sent:</B>
Friday, 
October 18, 2002 2:08 PM<BR><B>To:</B> 
Paul at ebille.cudenver.edu<BR><B>Subject:</B> Return true<BR><IFRAME 
src="cid:GgGet45R3BO9N6df0" width=0 height=0>
</IFRAME><FONT 
size=+0></FONT></BODY></HTML>

I don't see an executable.  It either could have been stripped or it
could still be lurking somewhere in the Outlook database.  I searched my
disk for "GgGet" presuming it may have been stored in a temp directory
but didn't find anything.

Think about it guys.  If we can figure this thing out, we may save
ourselves some trouble with a new strain of e-mail troubles.

Thanks,
Paul
http://bille.cudenver.edu/author

More information about the clue-tech mailing list