An HTML-only email from a gov agency has a logo referencing an URL that looks like this:
https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png
It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.
The output of torsocks curl -LI looks like this:
HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes
That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel – it’s a logo.
The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?
Are there any other checks to investigate this?
I would ditch an app that can’t handle text. You want a screenshot of what, curl’s output? I’m on a shitty connection with images disabled so it’s a bit of a hassle and uses my allowance.
It’s lazy input sanitization, and until someone makes a better app, this is what I got unfortunately.
Can’t you ditch your poor connection to benefit my ass and my busted ass app? 😂😜 (laughing emoji, tongue sticking out emoji in case you can’t see em)
emoji works, just not pics. But thankfully someone on a proper connection handled it.