Outlook spam with embedded images? CID

Some people may have noticed that some spammers manage to send images in their email. What the? …so what if you have not set permission for auto download of pictures? How does that work?


On closer inspection (if you have time to look) you may notice the email source code will reference an image without an http url.

<IMG alt=”" hspace=0 src=”cid:006901c6d391$dee64770$6c822ecf@Z2LC74Q” align=baseline border=0>

What is this?
“cid” is the content-id within Outlook. Outlook stores HTML mail in MHTML format which allows it to work with MIME (Multipurpose Internet Mail Extensions). So what is actually happening is the image is being embedded and then referenced through the MHTML without the need for downloading anything externally.

Points of interest of the top of my head:
1. You can’t spam filter an image. An image can be text (as above) or images. Watch out. Phishing possibilities ahoy.
2. CID will probably go unnoticed through many mail servers except for high grade clients who set rules to filter CID tags. Here the CID tag will usually get turned into an attachment helping you spot an intruding image.
3. CID is a good way to have your company logo embedded so that users don’t have to click “download images” when you send referencing an absolute URL. However if many of your clients are protected (previous point) then your logo will appear to them as an attachment each time and appear quite annoying to them when they go looking for that mail you sent them that DID have an attachment.
4. CID seems to work fine with browser clients (I tried gmail which worked fine and did not strip as an attachment either).

How do I create a CID image embedded in my email?
The easiest way we found is to copy and paste directly into Outlook from the clipboard. Yes it’s that simple.

This entry was posted on September 11, 2006 at 11:29 am and is filed under Useful. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

17 Responses to “Outlook spam with embedded images? CID”

  1. crazyjeremy Says:
    September 23, 2006 at 6:24 am

    This is happening more and more. What are the chances that people can use this method to trigger an external site? You mention the possibility of phishing with this method, but I don’t see how an embedded image can truly be used for phishing. It’s annoying, it let’s them spell everything correctly in the graphic and they get their message through most cheaper filters (like you said). But I just don’t see how an internal cid image in outlook can trigger an external phishing scheme. Or am I missing something?

  2. Iain Says:
    September 27, 2006 at 9:44 pm

    Good question. The main point is that email could be made to look more like an official source of information (like a bank) and amplify the trickery used to con users into believing a source as being legitimate.

    Images speaking a thousand words, logo credibility etc… I’m waiting for the first “ENTER YOUR BANK DETAILS” which uses an outlook CID image, but I don’t think it will be too long…

  3. Dan Says:
    October 3, 2006 at 9:57 pm

    Look at this source code inthis email! This object is not embedded, but pulled form an internet site. I can see it load watching my network card activity lights, takes pretty long for a simple image. This object is not embedded in the email, but appears that way. Ties up computer resources while it is loading…

    Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,

    I am pretty sure the above source code in this email pulls the image from the internet.

  4. Dan Says:
    October 3, 2006 at 9:59 pm

    This email is pulling the image from an internet site - I can wath it through through my activity lights on my NIC card.

    Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,

    I think I’ll fire up Cain and Abel and check it out to be sure.

  5. Dan Says:
    October 3, 2006 at 10:03 pm

    left !DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” right
    left HTMLright
    left BODY right left H5 right Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten, left /H5 right
    left IMG width=416 height=412 src=”cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11″ right left /BODY right
    left /HTML right

    Carrots have been replaced with the words left and right

    Look at the CID !

  6. Iain Says:
    October 4, 2006 at 11:21 pm

    It’s not pulling the image from any internet site, but the image will come through your mailserver and demostrate similar load times. The image is definitely embedded but still has to load like any mail with an attached image.

    >>>cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11
    is the MHTML reference to the image data so it can redraw from the embedded information. The clue is also in the SIZE of the email… most are 2-10k. A CID spam email will be up to 50Kb+

    Try pasting an image into outlook and sending to yourself to get the effect.

    NOTE: The senders of these CID image spams DO NOT know you viewed the image or if you have opened the email. :)

  7. Marcus Says:
    October 17, 2006 at 7:12 pm

    i’m quite sure its attached. perhaps it was an animated gif with delays added in to give the impression the text / img is being downloaded. see http://www.jgc.org/blog/2006/10/spam-image-that-slowly-builds-to.html

  8. josh Says:
    January 25, 2007 at 7:00 pm

    The tag can be used to access remote images.
    I have one mail of 15k, inside is this…

    cid:part1.02050301.00040802@expressteller.com

    image is more than 15k

    Also the big number is your unique ID, which they use to confirm the email address works.

  9. Marketing Says:
    January 30, 2007 at 5:32 pm

    I’m just learning to blog. Interesting comments.

  10. zqars Says:
    April 9, 2007 at 10:38 pm

    Good site!!!

  11. RhettWilson Says:
    May 2, 2007 at 7:02 am

    Hey,
    Great stuff here!
    I’ll definitely bookmark this place and come back soon.

    Rhett

  12. Cloth Says:
    September 22, 2007 at 10:05 am

    Hello to all, its my new pages about cloth
    cloth diaper
    You can buy here 24\7.

  13. Pens Says:
    September 27, 2007 at 10:23 pm

    Hello, here you can read all info about pen pal
    24\7.

  14. shoes Says:
    October 2, 2007 at 10:35 pm

    Hello nice blog! !!
    sofa
    It’s my new page.about shoes.

  15. suzy Says:
    November 27, 2007 at 7:54 am

    Very good stuff! Does anyone know how to block them in Outlook?

  16. bob Says:
    January 16, 2008 at 2:36 am

    j7NPOH hi great site thx http://peace.com

  17. alexbookmin Says:
    April 4, 2008 at 2:34 am

    I have carried out huge work and collected the most interesting
    sites about online investment in the Internet

    I choose only update and developing ones and collected them in the same place.
    They are accessible for everybody.
    I offer you to acquaint with them ( online investing bookmak http://www.articlesnatch.com/tags/bookmarks.php/boksir124 )
    If somebody can supplement my list please publish here your research or bookmark

    PS I am sorry if my message out of forum topic or it`s not interesting to community.

Leave a Reply