image map linking to parts of siteSearch Me?What I DidWhat I DoWriting: archived articlesBlog: Glenn's Daily Thoughts

FTP Email Scam

Covered in a recent InfoWorld column by Brian Livingston, and in a brief piece on PC World Online by Brian McWilliams.

Peter N. Lewis, the Australian Mac Internet programmer extraordinaire (author of the file retrieval program Anarchie), brought a technique for scamming email addresses through embedding an FTP reference in HTML page to my attention a few months ago. This technique is apparently on the rise.

If you know any HTML, you know that <IMG SRC> inserts an image on an HTML page. But you don't have to use HTTP (the Web file transfer protocol) to retrieve the image. The <IMG SRC> tag can say <IMG SRC="ftp://ftp.somewherex.com/pub/images/nit.gif"> and it will work just as well.

What's insidious about this method is that many browsers automatically transmit your email address which you may have configured through the Internet control panel in Mac OS, Outlook Express or related programs on Windows, or through the setup procedure for Netscape on both platforms. The FTP protocol doesn't require an email address, but standard procedure on most FTP servers for anonymous access is to send the user's address so the access is slightly less anonymous. There's no way for the FTP servers to check that the address is accurate.

The scammers using this technique embed an FTP image request in an HTML page and then use FTP logs to retrieve the address for later spams. (The proof of concept I formerly set up has been shut down.)

In Netscape, sending your email address is on by default. Go to the Edit menu, select Preferences, click the Advanced item, and uncheck "Send e-mail address as anonymous FTP." Netscape will then send just "mozilla@" as your email address. (See their help documentation on this issue.)

The latest versions of Internet Explorer for Mac and Windows send only an anonymous fragment (macexplorer@ or ieuser40@) instead of your address. (You can even prevent that from being sent by modifying Security settings, but some FTP sites will reject you if you fail to provide any information.) I salute the Microsoft IE developers for quietly keeping email address safe.

If your company uses an FTP proxy server or other firewall system, your email address may be blocked at that level, too.

6/3/98: One user of the proof of concept reports that Netscape 4.x for Windows kept sending his email address after he'd unchecked the box mentioned above. He had to clear caches, quit, and relaunch the program to have "mozilla@" show up.

6/17/98: James 'Kibo' Parry reports that 'user@round.file.microsoft.com' is generated by Mac IE 3.01 - obviously a little dig in the previous release of the software by happy-go-lucky Macintosh programmers working for Microsoft.

Also, a reader noted in email to Ric Ford at Macintouch that Internet Config and Netscsape can have some interactions that muddle whether your address is being sent.

6/17/98: Here are the top anonymous "email addresses" sent by browsers and FTP clients in the first few weeks of June to the FTP server where the proof of concept is located.

mozilla@ 17546
user@host 5054
IE30User@ 3456
macexplorer@ 2158
IE40user@ 730
user@round.file.microsoft.com 467
httpgw@ 457
squid@ 309
WebUser@somewhere.over.rainbow.com 191
wwwuser@ 183
WWWuser@ 150
unknown@ 99
opera@ 85
WinGate@ 85
netcache@ 81
user@host.domain 72
whoever@microsoft.com 67
ANARCHIE-email@domain.com 64
apache_proxy@ 58
anonymous@ 58
ANARCHIE/email@domain.com 57
traffic_server@inktomi.com 47
proxyuser@domain 43
Squid@ 41
Netscape@ 35
guest@ 31
email@domain.com 31
proxyuser@microsoft.com 25
NovellProxyCache@ 24
user@somehost.com 19
Sesame@ 14
proxy@ 13
user@host.com 13
ANARCHIE/account@domain.com 12
user@domain 12
Updated 6/26/98