On 2003-06-21, 02:55:01 (-0700), Paul Wallingford wrote:
> The following code sneaks through and does not get defanged. It is
> valid HTML / XML and renders in the mail reader (Mozilla). This is a
> security problem because it can be used by attackers to track recipients
> and possibly download malicious code to the victim's machine. In this
> message, it may appear on separate lines, but it appeared all on one
> line in the original message.
>
> <img border="0" src="http://www.lunarlandrush.com/images/moon_032303_1.gif"/>
Are you saying you think all external IMG references should be
defanged?
Alot of people would disagree with you! :-) So that behavior is
configurable:
The default is to block external references to various "unusual"
non-http protocols such as hcp:// or smb:// or the various internal
or javascript (about:, javascript:) URL syntaxes.
If you also want to block anything e-mail images originating via.
HTTP or FTP, just set "feat_webbugs = 1". That should do the trick.
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 25888@xyz.molar.is -><- http://bre.klaki.net/Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 26012@xyz.molar.is
Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler
