Closed Bug 1338905 Opened 7 years ago Closed 7 years ago

Remote content exceptions by From address can be misused by spammers

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
45 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kgrant3, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

Received spoofed e-mail from "ship-confirm@amazon.com" (showed "Amazon.com" in the From column).


Actual results:

Loaded images as though it was a legitimate Amazon email - signalling to spammer that my email address was real and live.


Expected results:

Should NOT load images, as it was not actually from amazon.com.
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Group: mail-core-security
That all depends on how you've set this up. Normally remote content is blocked. By can unblock it by sender and by image origin.

Say you have configured all images in messages from ship-confirm@amazon.com to always show. Then all images will also show when the e-mail is spoofed and indeed *not* from Amazon. That's why unblocking by sender is not a very safe option.

The better option is to unblock by origin. In case of Amazon that comes down to a few URLs you need to accept.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Summary: Image-loading options hacked → Remote content exceptions by From address can be misused by spammers
Magnus, I suggested in bug 1193200 to remove the unblocking by sender.
You need to log in before you can comment on or make changes to this bug.