[Snort-users] RE: Snortdb against MySQL

Sean C Doherty seand at ...232...
Sun Apr 1 17:44:44 EDT 2001


Hi,

I run a personal firewall on my Win 98 PC.  While reading my snort-users
email this weekend, I found that the email from
Brian.DeGregorio at ...1630... which was sent on 3/21/2001 in html format
attempted to access http://199.81.202.50/ (A Fedex site) 5 times.  I looked
at the source of the email and did find one reference to an image stored at
that site, but no other apparent html links that would/should access a
remote site to display the email.

Does this specific email contain some new kind of web-bug for tracking users
who open it?  Is someone doing a covert survey of how many users subscribe
to the snort-user list (at least who use html enabled email clients), and
the ISPs they use or the companies they work for?

Following is the html source code of the email that was sent.   I am not an
expert in html, but I have difficulty in discerning where the additional 4
attempts to access the site are embedded.  I did find the obvious link to an
image file.  (I have replaced all "<"'s with  "[[" in order not to
disseminate the apparent web bug again.)

Any comment/help would be appreciated.

Sean D

Following are the headers and source of html email referred to above:

Received: from usw-sf-list1.sourceforge.net (usw-sf-fw2.sourceforge.net
[216.136.171.252])
	by mail.tml.com (8.9.3/8.8.7) with ESMTP id RAAxxxx
	for <seand at ...232...>; Wed, 21 Mar 2001 17:29:32 -0500
X-RBL-Check: OK
Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)
	by usw-sf-list1.sourceforge.net with esmtp (Exim 3.22 #1 (Debian))
	id 14fqow-0001Wq-00; Wed, 21 Mar 2001 14:11:10 -0800
X-RBL-Check: OK
Received: from [63.228.247.2] (helo=mail.idaworks.com)
	by usw-sf-list1.sourceforge.net with smtp (Exim 3.22 #1 (Debian))
	id 14fqo1-0001PZ-00
	for <snort-users at lists.sourceforge.net>; Wed, 21 Mar 2001 14:10:13 -0800
X-RBL-Check: OK
Received: from SMTP agent by mail gateway
 Wed, 21 Mar 2001 15:05:01 -0700
X-RBL-Check: OK
Received: by mail.jcllc.com with Internet Mail Service (5.5.2653.19)
	id <HMSZLX2G>; Wed, 21 Mar 2001 15:04:34 -0700
X-RBL-Check: OK
Message-ID: <80832445EB76D411BFB60050049B79DF01999B at ...1632...>
From: Brian.DeGregorio at ...1630...
To: snort-users at lists.sourceforge.net
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/mixed;
	boundary="----_=_NextPart_000_01C0B252.E990FEB0"
Subject: [Snort-users] Snortdb against MySQL
Sender: snort-users-admin at lists.sourceforge.net
Errors-To: snort-users-admin at lists.sourceforge.net
X-BeenThere: snort-users at lists.sourceforge.net
X-Mailman-Version: 2.0.3
Precedence: bulk
List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>
List-Post: <mailto:snort-users at lists.sourceforge.net>
List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
List-Id: Snort users talk about... Snort!
<snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
Date: Wed, 21 Mar 2001 15:04:34 -0700
Status:

[[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
[[HTML>[[HEAD>
[[META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


[[STYLE>P.msoNormal {
	FONT-WEIGHT: normal; FONT-SIZE: 12pt; MARGIN-LEFT: 50px; COLOR: black;
FONT-FAMILY: "MS Sans Serif", "sans serif"
}
LI.msoNormal {
	FONT-WEIGHT: normal; FONT-SIZE: 12pt; MARGIN-LEFT: 50px; COLOR: black;
FONT-FAMILY: "MS Sans Serif", "sans serif"
}
BODY {
	FONT-WEIGHT: normal; FONT-SIZE: 12pt; MARGIN-LEFT: 50px; COLOR: black;
BACKGROUND-REPEAT: repeat-y; FONT-FAMILY: "MS Sans Serif", "sans serif"
}
HR {
	WIDTH: 100%; COLOR: #00ffff; HEIGHT: 1px
}
[[/STYLE>

[[META content="MSHTML 5.50.4611.1300" name=GENERATOR>[[/HEAD>
[[BODY bgColor=#ffffff background=cid:001540222 at ...1631...>
[[DIV>[[SPAN class=001540222-21032001>[[FONT face='"MS Sans Serif"'>Has
anyone
found or written a script to go thru the snort database and archive old
entries?
[[/FONT>[[/SPAN>[[/DIV>
[[DIV>
[[DIV>[[STRONG>[[/STRONG> [[/DIV>
[[DIV>[[SPAN
class=761550720-18012001>[[STRONG>[[/STRONG>[[/SPAN> [[/DIV>
[[DIV>[[A name=mailresults>[[IMG height=2 alt=""
src="http://www.fedex.com/images/shared/shared_rule.gif" width=437
border=0>[[/A>[[/DIV>
[[DIV>[[FONT face='"MS Sans Serif"'>[[/FONT> [[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face='"MS Sans
Serif"'>[[STRONG>Brian
DeGregorio[[/STRONG>[[/FONT>[[/SPAN>[[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face='"MS Sans Serif"'>Network
Administrator[[/FONT>[[/SPAN>[[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT
color=#000080>MARKMonitor[[/FONT>[[/SPAN>[[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT
face='"MS Sans Serif"'>[[/FONT>[[/SPAN> [[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face='"MS Sans Serif"'
size=2>[[A
href="mailto:brian.degregorio at ...1630...">brian.degregorio at ...1707...
com[[/A>[[/FONT>[[/SPAN>[[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face='"MS Sans Serif"'
size=2>[[A
href="http://www.markmonitor.com/">www.markmonitor.com[[/A>[[/FONT>[[/SPAN>[
[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT
face='"MS Sans Serif"'>[[/FONT>[[/SPAN> [[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face="Times New Roman"
color=#000080
size=4>[[STRONG>[[/STRONG>[[/FONT>[[/SPAN> [[/DIV>
[[DIV>[[SPAN class=761550720-18012001>[[FONT face="Times New Roman"
color=#000080
size=5>[[STRONG>Do you know where your brand
is?      We
Do.[[/STRONG>[[/FONT>[[/SPAN>[[/DIV>[[/DIV>[[/BODY>[[/HTML>





More information about the Snort-users mailing list