User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Build Identifier: Thunderbird 1.5.0.10 (20070221) I recognized that Thunderbird's whitelist (Users inside my adressbook are my friends and so their pictures always get autoloaded) has a glitch. If a spammer fakes the FROM: field and put my own emailadress in there as sender, the images inside this mail get automatically loaded without my confirmation. No JavaScript, just simple HTML img-Tags. Reproducible: Always Steps to Reproduce: 1. Send a spammail with external grafics and put the receivers email as sender (FROM: headerfield) 2. Receive this spammail as the receiver 3. Look what thunderbird does, as long as it does not mark the mail as spam it autoloads the image.

Yes, the mail sender is easily and frequently forged so using the image-loading whitelist feature is a trade-off between convenience and possible privacy leaks that each user will have to make. We have switched the default in Thunderbird 2 so that it does not automatically whitelist everyone in your address book (bug 357321). It is still possible to whitelist individuals in your address book, your call whether the possibility of forged mail from that person is high or not. Quite a bit safer when you can do it individually rather than as a blanket permission. You should upgrade to Thunderbird 2