19
submitted 8 months ago* (last edited 8 months ago) by coffeeClean@infosec.pub to c/cybersecurity@infosec.pub

An HTML-only email from a gov agency has a logo referencing an URL that looks like this:

https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png

It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.

The output of torsocks curl -LI looks like this:

HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes

That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel -- it’s a logo.

The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?

Are there any other checks to investigate this?

you are viewing a single comment's thread
view the rest of the comments
[-] kivulallo@lemmy.world 3 points 8 months ago* (last edited 8 months ago)

if you run a whois on the domain, it turns out it belongs to mailjet. they are a big service provider for bulk emails, notifications, stuff like that.

my guess is this is their cdn or something similar. you can see the "1wy1y" string in the URL path as well as a sub-domain. that's most likely the customer ID or "tenant id" for the gov agency inside the mailjet cloud. also guessing that "tplimg" could stand for "template image" or similar, indicating that they have an email template with this image always being there. which makes sense if it's a logo.

as for the curl call, i tried to open the url in a browser, but it just sends an empty response, that's why you don't see a content-length header. i guess mailjet checks where the url is being called from, either with user-agent or some custom headers or whatever, so it only loads if you actually open the email. this prevents unnecessary traffic costs for them.

i don't think there is anything wrong here, just laziness on the gov agency's side. they could have created some sub-domain that is an alias pointing to this mess. it wouldn't cost anything.

[-] coffeeClean@infosec.pub 3 points 8 months ago* (last edited 8 months ago)

as for the curl call, i tried to open the url in a browser,

I scrambled it for my own privacy… so that would not work. But I preserved the structure well enough that your insight was helpful.

this post was submitted on 22 Mar 2024
19 points (91.3% liked)

cybersecurity

3306 readers
180 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS