Some people may have noticed that some spammers manage to send images in their email. What the? …so what if you have not set permission for auto download of pictures? How does that work?
On closer inspection (if you have time to look) you may notice the email source code will reference an image without an http url.
<IMG alt=”" hspace=0 src=”cid:006901c6d391$dee64770$6c822ecf@Z2LC74Q” align=baseline border=0>
What is this?
“cid” is the content-id within Outlook. Outlook stores HTML mail in MHTML format which allows it to work with MIME (Multipurpose Internet Mail Extensions). So what is actually happening is the image is being embedded and then referenced through the MHTML without the need for downloading anything externally.
Points of interest of the top of my head:
1. You can’t spam filter an image. An image can be text (as above) or images. Watch out. Phishing possibilities ahoy.
2. CID will probably go unnoticed through many mail servers except for high grade clients who set rules to filter CID tags. Here the CID tag will usually get turned into an attachment helping you spot an intruding image.
3. CID is a good way to have your company logo embedded so that users don’t have to click “download images” when you send referencing an absolute URL. However if many of your clients are protected (previous point) then your logo will appear to them as an attachment each time and appear quite annoying to them when they go looking for that mail you sent them that DID have an attachment.
4. CID seems to work fine with browser clients (I tried gmail which worked fine and did not strip as an attachment either).
How do I create a CID image embedded in my email?
The easiest way we found is to copy and paste directly into Outlook from the clipboard. Yes it’s that simple.
September 23, 2006 at 6:24 am |
This is happening more and more. What are the chances that people can use this method to trigger an external site? You mention the possibility of phishing with this method, but I don’t see how an embedded image can truly be used for phishing. It’s annoying, it let’s them spell everything correctly in the graphic and they get their message through most cheaper filters (like you said). But I just don’t see how an internal cid image in outlook can trigger an external phishing scheme. Or am I missing something?
September 27, 2006 at 9:44 pm |
Good question. The main point is that email could be made to look more like an official source of information (like a bank) and amplify the trickery used to con users into believing a source as being legitimate.
Images speaking a thousand words, logo credibility etc… I’m waiting for the first “ENTER YOUR BANK DETAILS” which uses an outlook CID image, but I don’t think it will be too long…
October 3, 2006 at 9:57 pm |
Look at this source code inthis email! This object is not embedded, but pulled form an internet site. I can see it load watching my network card activity lights, takes pretty long for a simple image. This object is not embedded in the email, but appears that way. Ties up computer resources while it is loading…
Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,
I am pretty sure the above source code in this email pulls the image from the internet.
October 3, 2006 at 9:59 pm |
This email is pulling the image from an internet site – I can wath it through through my activity lights on my NIC card.
Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,
I think I’ll fire up Cain and Abel and check it out to be sure.
October 3, 2006 at 10:03 pm |
left !DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” right
left HTMLright
left BODY right left H5 right Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten, left /H5 right
left IMG width=416 height=412 src=”cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11″ right left /BODY right
left /HTML right
Carrots have been replaced with the words left and right
Look at the CID !
October 4, 2006 at 11:21 pm |
It’s not pulling the image from any internet site, but the image will come through your mailserver and demostrate similar load times. The image is definitely embedded but still has to load like any mail with an attached image.
>>>cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11
is the MHTML reference to the image data so it can redraw from the embedded information. The clue is also in the SIZE of the email… most are 2-10k. A CID spam email will be up to 50Kb+
Try pasting an image into outlook and sending to yourself to get the effect.
NOTE: The senders of these CID image spams DO NOT know you viewed the image or if you have opened the email.
October 17, 2006 at 7:12 pm |
i’m quite sure its attached. perhaps it was an animated gif with delays added in to give the impression the text / img is being downloaded. see http://www.jgc.org/blog/2006/10/spam-image-that-slowly-builds-to.html
January 25, 2007 at 7:00 pm |
The tag can be used to access remote images.
I have one mail of 15k, inside is this…
cid:part1.02050301.00040802@expressteller.com
image is more than 15k
Also the big number is your unique ID, which they use to confirm the email address works.
January 30, 2007 at 5:32 pm |
I’m just learning to blog. Interesting comments.
April 9, 2007 at 10:38 pm |
Good site!!!
May 2, 2007 at 7:02 am |
Hey,
Great stuff here!
I’ll definitely bookmark this place and come back soon.
Rhett
September 22, 2007 at 10:05 am |
Hello to all, its my new pages about cloth
cloth diaper
You can buy here 24\7.
September 27, 2007 at 10:23 pm |
Hello, here you can read all info about pen pal
24\7.
October 2, 2007 at 10:35 pm |
Hello nice blog! !!
sofa
It’s my new page.about shoes.
November 27, 2007 at 7:54 am |
Very good stuff! Does anyone know how to block them in Outlook?
January 16, 2008 at 2:36 am |
j7NPOH hi great site thx http://peace.com
April 4, 2008 at 2:34 am |
I have carried out huge work and collected the most interesting
sites about online investment in the Internet
I choose only update and developing ones and collected them in the same place.
They are accessible for everybody.
I offer you to acquaint with them ( online investing bookmak http://www.articlesnatch.com/tags/bookmarks.php/boksir124 )
If somebody can supplement my list please publish here your research or bookmark
PS I am sorry if my message out of forum topic or it`s not interesting to community.
December 29, 2008 at 2:21 pm |
hhzpzbpkqpnsoqaqwell, hi admin adn people nice forum indeed. how’s life? hope it’s introduce branch
March 6, 2009 at 1:39 pm |
Tila Tequila Naked [url=http://www.bebo.com/TilaTequilaN9]Tila Tequila Naked[/url] Tila Tequila Naked [url= http://www.bebo.com/TilaTequilaN9 ] Tila Tequila Naked [/url]
June 24, 2009 at 1:21 am |
cid can be used in email programmas , refere to a image which you have attached and you will directly have this image on your email. was this ok visit ‘http://www.free4ever.be and have fun.
August 14, 2009 at 12:24 am |
Hi! Great article. I was wondering if the CID function only works with Outlook 2007? I am still running 2003 and the images don’t automatically render when email is opened up. Please help me understand better how this works – have a lot of corporate clients interested in this process.
Thanks!
September 1, 2009 at 2:22 am |
Relaxed You may, and its twin?For emergencies and, get a tutorial.Of no more, deal of difficulty.Few years However red lights on xbox 360, der Transport von so brightly that.Percentage may vary, system These indicate.,
November 9, 2009 at 6:17 am |
In our email marketing platform we have built in the possibility to embed CID images, but only allowed it to some clients. In our belief it still should be the user who can decide whether images are immediately visible or not.