Outlook spam with embedded images? CID

Some people may have noticed that some spammers manage to send images in their email. What the? …so what if you have not set permission for auto download of pictures? How does that work?


On closer inspection (if you have time to look) you may notice the email source code will reference an image without an http url.

<IMG alt=”” hspace=0 src=”cid:006901c6d391$dee64770$6c822ecf@Z2LC74Q” align=baseline border=0>

What is this?
“cid” is the content-id within Outlook. Outlook stores HTML mail in MHTML format which allows it to work with MIME (Multipurpose Internet Mail Extensions). So what is actually happening is the image is being embedded and then referenced through the MHTML without the need for downloading anything externally.

Points of interest of the top of my head:

1. You can’t spam filter an image. An image can be text (as above) or images. Watch out. Phishing possibilities ahoy.
2. CID will probably go unnoticed through many mail servers except for high grade clients who set rules to filter CID tags. Here the CID tag will usually get turned into an attachment helping you spot an intruding image.
3. CID is a good way to have your company logo embedded so that users don’t have to click “download images” when you send referencing an absolute URL. However if many of your clients are protected (previous point) then your logo will appear to them as an attachment each time and appear quite annoying to them when they go looking for that mail you sent them that DID have an attachment.
4. CID seems to work fine with browser clients (I tried gmail which worked fine and did not strip as an attachment either).

How do I create a CID image embedded in my email?

The easiest way we found is to copy and paste directly into Outlook from the clipboard. Yes it’s that simple.

You may also like...

46 Responses

  1. crazyjeremy says:

    This is happening more and more. What are the chances that people can use this method to trigger an external site? You mention the possibility of phishing with this method, but I don’t see how an embedded image can truly be used for phishing. It’s annoying, it let’s them spell everything correctly in the graphic and they get their message through most cheaper filters (like you said). But I just don’t see how an internal cid image in outlook can trigger an external phishing scheme. Or am I missing something?

  2. Iain says:

    Good question. The main point is that email could be made to look more like an official source of information (like a bank) and amplify the trickery used to con users into believing a source as being legitimate.

    Images speaking a thousand words, logo credibility etc… I’m waiting for the first “ENTER YOUR BANK DETAILS” which uses an outlook CID image, but I don’t think it will be too long…

  3. Dan says:

    Look at this source code inthis email! This object is not embedded, but pulled form an internet site. I can see it load watching my network card activity lights, takes pretty long for a simple image. This object is not embedded in the email, but appears that way. Ties up computer resources while it is loading…

    Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,

    I am pretty sure the above source code in this email pulls the image from the internet.

  4. Dan says:

    This email is pulling the image from an internet site – I can wath it through through my activity lights on my NIC card.

    Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten,

    I think I’ll fire up Cain and Abel and check it out to be sure.

  5. Dan says:

    left !DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” right
    left HTMLright
    left BODY right left H5 right Ponyets said, did not afraid I had timed it isn’t very important. Ponyets, sharply, and her hair was there will groan for ten, left /H5 right
    left IMG width=416 height=412 src=”cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11″ right left /BODY right
    left /HTML right

    Carrots have been replaced with the words left and right

    Look at the CID !

  6. Iain says:

    It’s not pulling the image from any internet site, but the image will come through your mailserver and demostrate similar load times. The image is definitely embedded but still has to load like any mail with an attached image.

    >>>cid:DL0PDNDG.1XXLDEKH.WMMJM4QA.CA6ODK11
    is the MHTML reference to the image data so it can redraw from the embedded information. The clue is also in the SIZE of the email… most are 2-10k. A CID spam email will be up to 50Kb+

    Try pasting an image into outlook and sending to yourself to get the effect.

    NOTE: The senders of these CID image spams DO NOT know you viewed the image or if you have opened the email. :)

  7. Marcus says:

    i’m quite sure its attached. perhaps it was an animated gif with delays added in to give the impression the text / img is being downloaded. see http://www.jgc.org/blog/2006/10/spam-image-that-slowly-builds-to.html

  8. josh says:

    The tag can be used to access remote images.
    I have one mail of 15k, inside is this…

    cid:part1.02050301.00040802@expressteller.com

    image is more than 15k

    Also the big number is your unique ID, which they use to confirm the email address works.

  9. Marketing says:

    I’m just learning to blog. Interesting comments.

  10. RhettWilson says:

    Hey,
    Great stuff here!
    I’ll definitely bookmark this place and come back soon.

    Rhett

  11. Cloth says:

    Hello to all, its my new pages about cloth
    cloth diaper
    You can buy here 247.

  12. Pens says:

    Hello, here you can read all info about pen pal
    247.

  13. shoes says:

    Hello nice blog! !!
    sofa
    It’s my new page.about shoes.

  14. suzy says:

    Very good stuff! Does anyone know how to block them in Outlook?

  15. bob says:

    j7NPOH hi great site thx http://peace.com

  16. alexbookmin says:

    I have carried out huge work and collected the most interesting
    sites about online investment in the Internet

    I choose only update and developing ones and collected them in the same place.
    They are accessible for everybody.
    I offer you to acquaint with them ( online investing bookmak http://www.articlesnatch.com/tags/bookmarks.php/boksir124 )
    If somebody can supplement my list please publish here your research or bookmark

    PS I am sorry if my message out of forum topic or it`s not interesting to community.

  17. HetsRitEnaliIntict says:

    hhzpzbpkqpnsoqaqwell, hi admin adn people nice forum indeed. how’s life? hope it’s introduce branch 😉

  18. Tila Tequila Naked [url=http://www.bebo.com/TilaTequilaN9]Tila Tequila Naked[/url] Tila Tequila Naked [url= http://www.bebo.com/TilaTequilaN9 ] Tila Tequila Naked [/url]

  19. wissguy says:

    cid can be used in email programmas , refere to a image which you have attached and you will directly have this image on your email. was this ok visit ‘http://www.free4ever.be and have fun.

  20. Hi! Great article. I was wondering if the CID function only works with Outlook 2007? I am still running 2003 and the images don’t automatically render when email is opened up. Please help me understand better how this works – have a lot of corporate clients interested in this process.

    Thanks!

  21. Relaxed You may, and its twin?For emergencies and, get a tutorial.Of no more, deal of difficulty.Few years However red lights on xbox 360, der Transport von so brightly that.Percentage may vary, system These indicate.,

  22. myMailMarket says:

    In our email marketing platform we have built in the possibility to embed CID images, but only allowed it to some clients. In our belief it still should be the user who can decide whether images are immediately visible or not.

  23. I’m an origami fan and paper airplanes is one of my favorite forms of the art. It challenges not just your folding skills but also teaches you about aerodynamics. I remember a software called “The Greatest Paper Airplanes”. It teaches how to fold 50 different paper airplanes step by step with instructions and videos. Too bad the software is no longer distributed but there’s a website that teaches how to fold those 50 paper airplanes.

  24. really good very topic and Iain and others’ comment are wonderful

  25. It is good that you took the time to write this post; it’s stimulating to hear another’s opinion. I respect your work on this page, and I’ll come back for more information.

  26. Hey – I found your site by mistake. I was looking in Google for info on home building, I must say your site is pretty cool I just love the theme, its amazing!. I don’t have the time this minute to fully read your site but I have bookmarked it and also signed up for your RSS feed. I’ll back in a day or two. thanks for a awesome site.

  27. I m really impressed with your work. I m glad to have read this article. It was a great way of putting forward your ideas on this subject…… I m relieved to find such good work after going through such pains in searching for the appropriate matter for my project……. Congratulations.

  28. Anastasia says:

    Great stuff…… I personally want to thank you for writing this article. I am just very impressed with your work. I gained a lot of information on this matter. I really happy to have gone through your article. Please keep up the good work.

  29. man health says:

    Hey this is one of the best articles that I have read till date. I m really very much impressed with your work. It has been a pleasure reading this article of yours. I never knew that there was so much to learn in this subject. I am glad to have read your article.

  30. Technology of daft punk

  31. Gen Stanley A. McChrystal’s uncomplimentary criticism of the Obama administration’s top officials has left the president a uneviable choice: look across comments that come close to rebellion, or terminate his lead commander at a critical moment in Afghanistan. I wouldn’t want to be in Obama’s situation right now, even if these two men are assembling now to talk it through. Quite dumb to make national negative comments about your chief like that though.

  32. This technique seems to work better with smaller images, such as logos. For larger images I’d go with external links and give the user the option to download.

  33. Bradley Kari says:

    Very nice post and straight to the point. I don’t know if this is actually the best place to ask but do you guys have any thoughts on where to get some professional writers? Thanks :)

  34. I have been examinating out many of your articles and it’s nice stuff. I will definitely bookmark your blog.

  35. Well I sincerely enjoyed studying it. This subject procured by you is very useful for good planning.

  36. Wow! Thank you! I always needed to write on my website something like that. Can I implement a fragment of your post to my website?

  37. Lino Tomei says:

    Very nice info and straight to the point. I am not sure if this is really the best place to ask but do you people have any thoughts on where to get some professional writers? Thanks in advance :)

  38. Well I truly enjoyed studying it. This tip procured by you is very useful for good planning.

  39. Malik Faurot says:

    There is visibly a bunch to know about this. I assume you made various good points in features also.

  40. Well I really enjoyed reading it. This information procured by you is very constructive for proper planning.

  41. vijay says:

    its a nice info. you have discussed a nice info about Outlook spam with embedded images thanks for it.

  42. egipt pogoda says:

    Hello is Blogengine a free blogging software like wordpress? Additionally does it have lots of plugins and themes for it? I would like to start using it for my new blog if it does! Thank You

  43. Emil Orleans says:

    That is second incident that I’m scanning anything about modifying web sites together with the method. It appears that you’re an super professional blogger. Your publish is definitely an fantastic instance of why I keep on coming again to study your excellent top quality content material that’s forever updated.

  44. Josiah Espy says:

    Your blog looks really good! Well written pages too, makes it perfect! Hope you keep updating man, I will def be back to read up on more!!!

  45. goldbeats says:

    To follow up on the up-date of this problem on your internet page and wish to let you know just how much I treasured the time you took to publish this helpful post.michael jackson anniversary headphone Within the post, you in fact spoke of how you can truly handle this matter with all convenience. It could be my personal pleasure to obtain some far more tips from your web page and come up to give other people what I learned from you. Thanks for your usual fantastic effort.

Leave a Reply

Your email address will not be published. Required fields are marked *