Fwd: I was auto-outed by an IMG tag in HTML spam

Rohit Khare (rohit@bordeaux.ICS.uci.edu)
Wed, 18 Feb 1998 19:53:31 -0800


---------------- Begin Forwarded Message ----------------
Date: 02/18 3:00 AM
Received: 02/18 11:15 AM
From: Anonymous, anon@anon.efga.org
To: cypherpunks@toad.com

I just had my on-line pseudonym outed to my company's VP of
marketing, with potentially serious internecine political
consequences. It didn't even take an AOL customer service rep
to do the dirty deed. Here's how it happened.

I have an account unconnected with work, for personal mail, on a
machine run by a friend in my wife's department at the local
college. From this account, I speak my mind about my political
views, my employer's spamming of their rather loosely defined
lists of "customers", etc. I don't do that from my work account
because I don't want any confusion about whether I am speaking
for the company or not.

Evidently my mention of my displeasure with my company's
spamming hit a nerve with marketing. They sent a message to my
off-site address (along with those of other critics about whom
they wanted to know more). It was an HTML message with an
embedded IMG tag.

Last night about midnight, I downloaded my off-site mail with
Netscape. (I was still at work because our team is debugging
some killer database problems.) When Netscape saw that IMG
tag, it happily connected to marketing's "customer" tracking
server, and downloaded the keyed graphic.

My boss just let me see the log he got from the marketing VP,
showing clearly that my workstation read the message. The log
was attached to a strident call for my head from the VP.
Luckily, my boss agrees with my attitude, as do all of my
co-workers on the engineering side of the house, and thinks I
was in the right to use an off-site account. But the political
fallout could be interesting.

Beware "live" message content. If you don't, you may end up
having to get your company's entire marketing force fired to
protect yourself.

Use mail readers that don't automatically process HTML and
connect to image servers, accept cookies, or run javascripts.
You are being watched by tricky defective, er, detective types.
es.

----------------- End Forwarded Message -----------------