Clear gif attachment

Clear GIFs (typically 1 pixel x 1 pixel) are used as a tracking tool. Depending on the settings in your mail client a clear GIF or web beacon can be used to track your IP, when the message was viewed, your browser type, etc. Really just the information you divulge when you visit any web page.

If it's really an attachment, the only harm could really come from viewing it. (I think one browser had a PNG display vulnerability, yes?) A link to a clear GIF, on the other hand, or an e-mail containing JavaScript, may be part of a plan to acquire Gmail session information.

One thing that is suspect is an e-mail was sent to the user by the person they suspect is reading their e-mail and it contains a clear gif attachment. I am not sure anything could have been launched from the attachment that could have installed itself onto the user computer to facilitate this problem. Has anyone seen this type of issue before that could help solve the puzzle.

A couple of years ago, all kinds of errors were detected in graphics libraries, and there are no reason to believe that there doesn't remain a bug or two.

The only way you are going to see if that clear gif file contains anything malicious is by examining it byte for byte against the GIF specification – or, if you can find a program to do it for you.

Using GIFs for tracking purposes is done by links the mail refers to http//i.spy.org/clear.gif, and when your mail reader goes out to fetch that invisible image, the web server records that you have read your mail, and whatever else it can pick up over the line. And since the image is clear, you don't see anything strange.

Gmail also shows the 5 latest sessions, including IP address and access type (browser, POP3, mobile). Now the user has changed the password this might be too late to use, but nevertheless worth a try (see http//www.forensicsblog.net/?p=13#more-13 for my blogposting about this).