Picture this, You are a spammer, you send out a million spams (junk emails) to a million different email addresses. Within minutes you are logging the READING of those emails. Note this is not people who respond but you can actually log someone just previewing or reading the email in Outlook or Outlook Express.  And the best part, the poor user has no idea this is happening to him, it is completely stealth.

Each time you log this you add these email addresses to your "A" list because you know they are valid addresses and your crap is being viewed by these people. THESE ARE VALUABLE ADDRESSES!!

The other day I was working and turned off my firewall for just a minute. In that time I received an email and like an idiot I previewed it before re-enabling my firewall. In that one second my information (the time, my IP address, my email address, my Operating system, what browser I use, who is my ISP, and the fact that I got the email and read it) was recorded by a spammer because Outlook Express is exploitable via email webbugs. It pissed me off so much that I threw this little demo together to show the world what is going on.

I've chased MS to fix this for a couple years now, but they just tell me "it's not a security issue". Yet spammers have been using this technique to verify that your email address is active and to log all this information about you. So ok, now you can decide for yourself if this is a security issue.

What are webbugs? 

The way it works is you enter your email address in the below box, hit submit and the server will send you an exploit email. When you read that email your email program will silently make a connection to my server and I will log your information. Once that happens you can view that logged information on the following page.

Not to worry, I don't want your email addresses, I'm into privacy. :) (actually you can enter any email address if you want to exploit your friends who use exploitable email programs)

For those of you who read about this in the inquirer, it's not just Outlook that's vulnerable, gecko on Linux, Netscape, AOL, there are a bunch of email programs that are being exploited by the spammers. (my apologies to MS for the initial reports making it sound like it was only Outlook Express, it's just that I'm an outlook express user and that's the only one I'm concerned about)

Ok, ready to see if you are vulnerable to email webbugs?

Email to test: