User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: thunderbird version 1.0 (20041206) on mandrake preferences are set for thunderbird to not load remote images if sender is not in my personal address book, and most of the time this works. but spammers found a way to encode their messages so remote images get loaded. this is a security problem for me because this can send the spammer information about me, that i read his emails and when. it's an invasion of my privacy too, so i think it is critical. Reproducible: Always here is a sample email: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--228946900596832" X-Priority: 3 X-MSMail-Priority: Normal X-UIDL: A#V"!\BN!!L(l"!glb!! ----228946900596832 Content-Type: text/html; Content-Transfer-Encoding: base64 PGh0bWw+DQogIDxoZWFkPg0KICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LXR5cGUiIGNv bnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1ldWMta3IiPg0KICAgICAgPHRpdGxlPjwvdGl0 bGU+DQogIDwvaGVhZD4NCiAgPEJPRFk+DQo8RElWPg0KPFRBQkxFIGNlbGxTcGFjaW5nPTAg Y2VsbFBhZGRpbmc9MCB3aWR0aD0iMTAwJSIgYm9yZGVyPTA+DQogIDxUQk9EWT4NCiAgPFRS Pg0KICAgIDxURCBjb2xTcGFuPTMgaGVpZ2h0PTEwPjwvVEQ+PC9UUj4NCiAgPFRSPg0KICAg IDxURCBzdHlsZT0iUEFERElORy1MRUZUOiA0MHB4IiBjb2xTcGFuPTM+PFgtTUVUQSBIVFRQ LUVRVUlWPSJDb250ZW50LVR5cGUiIA0KICAgICAgQ09OVEVOVD0idGV4dC9odG1sOyBjaGFy c2V0PWV1Yy1rciI+DQogICAgICA8VEFCTEUgd2lkdGg9IjEwMCUiIGJnQ29sb3I9I2ZmZmZm ZiBMRUZUTUFSR0lOPSIwIiBUT1BNQVJHSU49IjAiIA0KICAgICAgTUFSR0lOV0lEVEg9IjAi IE1BUkdJTkhFSUdIVD0iMCI+DQogICAgICAgIDxUQk9EWT4NCiAgICAgICAgPFRSPg0KICAg ICAgICAgIDxURCB2QWxpZ249dG9wPg0KICAgICAgICAgICAgPENFTlRFUj48QSBocmVmPSJo dHRwOi8vZnJlZTcuaXZ5cm8ubmV0L3B0MDA1L2luZGV4Lmh0bWwiIA0KICAgICAgICAgICAg dGFyZ2V0PV9ibGFuaz48Rk9OVCBjb2xvcj1ibHVlIHNpemU9ND7AzLnMwfawoSC6uMDMwfYg vsrAuyC2p7TCIMWsuK/H2MHWvLy/5DwvRk9OVD4gDQogICAgICAgICAgICA8UD48L1A+DQog ICAgICAgICAgICA8VEFCTEUgY2VsbFNwYWNpbmc9MCBjZWxsUGFkZGluZz0wIHdpZHRoPTcw MCBib3JkZXI9MD4NCiAgICAgICAgICAgICAgPFRCT0RZPg0KICAgICAgICAgICAgICA8VFI+ DQogICAgICAgICAgICAgICAgPFREPjxBIGhyZWY9Imh0dHA6Ly9mcmVlNy5pdnlyby5uZXQv cHQwMDUvaW5kZXguaHRtbCIgDQogICAgICAgICAgICAgICAgICB0YXJnZXQ9X2JsYW5rPjxJ TUcgaGVpZ2h0PTM1NyBhbHQ9IiIgDQogICAgICAgICAgICAgICAgICBzcmM9Imh0dHA6Ly9m cmVlOC5pdnlyby5uZXQvaW1hZ2VzL2JpYV8wMS5qcGciIHdpZHRoPTcwMCANCiAgICAgICAg ICAgICAgICAgIGJvcmRlcj0wPjwvQT48L1REPjwvVFI+DQogICAgICAgICAgICAgIDxUUj4N CiAgICAgICAgICAgICAgICA8VEQ+PEEgaHJlZj0iaHR0cDovL2ZyZWU3Lml2eXJvLm5ldC9w dDAwNS9pbmRleC5odG1sIiANCiAgICAgICAgICAgICAgICAgIHRhcmdldD1fYmxhbms+PElN RyBoZWlnaHQ9MzQyIGFsdD0iIiANCiAgICAgICAgICAgICAgICAgIHNyYz0iaHR0cDovL2Zy ZWU4Lml2eXJvLm5ldC9pbWFnZXMvYmlhXzAyLmpwZyIgd2lkdGg9NzAwIA0KICAgICAgICAg ICAgICAgICAgYm9yZGVyPTA+PC9BPjwvVEQ+PC9UUj4NCiAgICAgICAgICAgICAgPFRSPg0K ICAgICAgICAgICAgICAgIDxURD48QSBocmVmPSJodHRwOi8vZnJlZTcuaXZ5cm8ubmV0L3B0 MDA1L2luZGV4Lmh0bWwiIA0KICAgICAgICAgICAgICAgICAgdGFyZ2V0PV9ibGFuaz48SU1H IGhlaWdodD0zMDEgYWx0PSIiIA0KICAgICAgICAgICAgICAgICAgc3JjPSJodHRwOi8vZnJl ZTguaXZ5cm8ubmV0L2ltYWdlcy9iaWFfMDMuanBnIiB3aWR0aD03MDAgDQogICAgICAgICAg ICAgICAgICBib3JkZXI9MD48L0E+PC9URD48L1RSPg0KICAgICAgICAgICAgICA8VFI+DQog ICAgICAgICAgICAgICAgPFREPg0KICAgICAgICAgICAgICAgICAgPEZPUk0gYWN0aW9uPWh0 dHA6Ly9mcmVlNy5pdnlyby5uZXQvcmVqZWN0MS9SZWplY3RNYWlsLnBocCANCiAgICAgICAg ICAgICAgICAgIG1ldGhvZD1wb3N0IHRhcmdldD1ibGFuaz48SU5QVVQgdHlwZT1oaWRkZW4g DQogICAgICAgICAgICAgICAgICB2YWx1ZT1CODU2MTEyN2EzYWRiNzNmOTRjZTNhZmY1MzEx ZmVjMGIgDQogICAgICAgICAgICAgICAgICBuYW1lPVNFUlZJQ0VfQ09ERT48QlI+PElOUFVU IHNpemU9MzAgdmFsdWU9IiAiIA0KICAgICAgICAgICAgICAgICAgbmFtZT11c2VyX2VtYWls PiA8SU5QVVQgdHlwZT1pbWFnZSANCiAgICAgICAgICAgICAgICAgIHNyYz0iaHR0cDovL2Zy ZWU3Lml2eXJvLm5ldC9yZWplY3QxL2RlbnkuZ2lmIj4gufbGsMC7IMWsuK/Hz73DuOkgDQog ICAgICAgICAgICAgICAgICC89r3FsMW6zsOzuK6woSDAzLfnvu4gwf20z7TZLjxCUj4oSWYg eW91IGRvbqOndCB3YW50IHRvIHJlY2VpdmUgdGhpcyBtYWlsIA0KICAgICAgICAgICAgICAg ICAgYW55bW9yZSwgY2xpY2sgaGVyZSANCiAgICAgICAgICAgIFtEZW55XSk8L0ZPUk0+PC9U RD48L1RSPjwvVEJPRFk+PC9UQUJMRT48L0E+PC9DRU5URVI+PC9URD48L1RSPjwvVEJPRFk+ PC9UQUJMRT48L1REPjwvVFI+PC9UQk9EWT48L1RBQkxFPjwvRElWPg0KICA8L0JPRFk+DQo8 L2h0bWw+DQo= ----228946900596832--
Attached file spam sample 3 loading remote images (deleted) —
here is another sample.
The same bug appears in Mozilla Seamonkey Mail as well.
I see it too. It appears that images sent along in the email via base64 encoding sneak by the Junk mail functionality that normally doesn't display them. It also appears to disable the "Show Images" functionality as well.
this bug is a security breach. my private email address gets revealed/confirmed to dictionary-attackers this way, as the url of these spam messages contain an identifier. and it is happening almost daily now. what can we do to have this bug fixed in thunderbird 1.1 ?
Summary: thunderbird loading remote image from spam when it should not → thunderbird loading remote images from spam when it should not
Attached file Spam triggering the misery (deleted) —
See Screenshot here: What a Bugger!. I can even play around with TB and it still shows the "smut".
Attachment #199570 - Attachment description: Asian spam that defeats 'block loading of remote images' → Asian spam that defeats 'block loading of remote images'. The images show in Thunderbird 1.0, but do NOT show in 1.0.7. It appears that the problem has been fixed in 1.0.7.
the 'Asian spam' test case is still loading images with version 1.5 Beta 2 (20051008) Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b5) Gecko/20051008 Thunderbird/1.4.1 Mnenhy/ ID:2005100806
This is a significant problem both for intentional spammers as outlined above, as well as for the completely repeatable condition where SpamAssassin includes the original (spam) message as an attachment. Confirmed in version 1.0.7 (20050923) Identifies other cases where this is an issue. Strongly suggest raising severity to CRITICAL as it is a major deficiency in a security-related feature. Strongly suggest making this a CONFIRMED bug.
Thunderbird blocks *remote* images to prevent "web bugs" -- where fetching the image tells the spammer you've read it and they now know a live address. (they can encode your address in the URI of the image they request... they don't even have to serve up an image, they just need to collect the server logs). The purpose of the feature is not to hide images, it's to block remote loads for privacy purposes. In-line images do not have these privacy issues and are shown (I wish the button said "Load Images" rather than "Show Images" :-( ) If you want to hide images you can change the View menu "Message Body As" setting to Simple Html or Plain Text and no images will be shown. Also I believe Thunderbird does not show even in-line images in mail it considers Junk, but of course the problem here is that *you* think this message is Spam but Thunderbird hasn't learned that yet.
Closed: 18 years ago
Resolution: --- → INVALID
Target Milestone: --- → Thunderbird0.2
