To Thread - Forum Home

The Mudcat Café TM
4 messages

Tech: p.gif - e-mail attachment???

23 Jan 09 - 02:57 PM (#2547257)
Subject: Tech: p.gif - e-mail attachment???
From: Joe Offer

Every time I get e-mail from one Mudcatter, there's a file titled p.gif attached to his e-mail message. The file size is 0.0 kilobytes. One time I got brave (or stupid) and opened the file, and nothing appeared to happen. I hope I didn't infect my computer or something.

I googled p.gif and didn't come up with a definitive answer. It sounds like it's a one-pixel image file that's invisible, sometimes used to show the sender that the recipient has viewed the e-mail. I didn't see any information that indicated it was harmful, but sources call it annoying.

Anybody know about this?


24 Jan 09 - 01:25 AM (#2547615)
Subject: RE: Tech: p.gif - e-mail attachment???
From: JohnInKansas

Joe -

What little I found indicates that p.gif is usually used as a "dummy name" for a target file to be retrieved from another server. A "rename" statement <filename>=p.gif would normally be used in the script of the mail sent, or on the responding server, to allow showing an arbitrary image without re-writing the remote link that calls p.gif. The actual image could be a 0-byte file, or anything else that someone wanted you to see (or not see). Of course if the server your computer is told to download from actually has a p.gif file, that's what you'll get in the absence of an "alias" statement.

Ordinarily the link would be back to the sender's server, so if you trust the sender it's probably harmless.

Since your computer has to send a request to the server that's linked, it can serve to inform the linked server that you've looked at the mail, although anyone using this form might not know who read which mail. The "alias" appears to be usually on the server that the email links back to, but it's not clear how really versatile the command is. Possibly, every mail that links up looking for p.gif would get the same (p.gif or alias) file until a new alias is provided on the server.

It would normally be embedded in the script, as a "target=" link, and might show as an attachment depending on how your browser/email program handles such links.

The form appears to be used by MySpace, Facebook, and YouTube, among others, so it could be a remnant picked up as a "contamination" by anyone who posts there and/or has linked to/through there in other email, although this wouldn't normally mean it's a malware threat. All of the descriptions I found are in 'NIX threads, and the "remote link" probably is transparent to Windows and Mac users so apparently they don't have to worry about getting the code right.

It's not clear whether the "form" requires that the p.gif be on the sender's own computer/server, and if a "third party call" is permitted it could result in you being linked to a (malicious) remote computer and requesting a download of a file to display, with the result that you get something "unexpected." My impression of the methods used by the sites named is that the method can link you to third-party "service servers" that provide all the fancy and obnoxious stuff that seems far to common on those sites; but I haven't seen any indication that it's been/being maliciously used that way.

If the p.gif call is used in malware, it likely would be only a tiny part of the "worm," so the whole worm would likely have a name, but p.gif probably wouldn't be a "named malware" by itself, or even be mentioned in a description of a worm that contained it. The real malware would be in the file it downloads.

Note: high speculative content. Maybe someone who runs a UNIX Server can clarify things.


24 Jan 09 - 05:16 AM (#2547675)
Subject: RE: Tech: p.gif - e-mail attachment???
From: MartinRyan

None of the reputable virus/malware software houses seem agitated about it - and it's been around long enough for it to be known. I see some reference to specific use in the context of Perl?


24 Jan 09 - 05:15 PM (#2548160)
Subject: RE: Tech: p.gif - e-mail attachment???
From: Stilly River Sage

I think you are seeing a pixel shim. It can be a tiny little thing that is literally one pixel in size, of a particular shade (if it is a gif then it is one of about 200 "web safe" colors). This is all that is needed if someone wants to tile the background of their email (formatting it so there is a color, or if the gif is a little larger, presenting a texture or a look like a spiral binding along the edge, or a parchment backround, etc.)