Closed Bug 188476 Opened 22 years ago Closed 16 years ago

default setting for "Do not load remote images in M&NG messages"

Categories

(MailNews Core :: Security, enhancement)

Product:
MailNews Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: Chris, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030106
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030106

Would it be possible to change the default value of the "Do not load remote
images in M&NG messages" to true?  Or, even better, that the user is promted
with "Do you want to load remote messages: yes, no, always, never" when a
message contains an external reference...

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Why should the default should be changed? Or is this merely a theoretical question?
No, it's not merely a theoretical question :-)

I think we can safly say that remote pictures in messages are mostly used by
spam messages to track by a unique url if a certain user reads the spam
message... if one has pane-view on, it often happens that the external url is
already loaded before you see (eg from the subject) that the message is spam. 
Your email address is marked as active in the spammers db and you'll get even
more spam :-(

The option is a bit hard to find in the preferences, and a lot of people don't
know what the remote pictures are used for.  I know several people who use
Mozilla as their mail client who had the option off because they did not know
about it.

The best solution would definitely be a dialog asking "load remote messages:
yes, no, always, never + warning" but I guess that is a lot more work to
implement...

Cheers,
Chris.
I agree that 90% of remote images for 90% of people are spam, and a high
proportion are quite nasty spam.  But I don't think we should turn off
functionality like this by default.  The preference is hard to find - how about
an option on the context menu similar to the "Block images from this server"?
> The preference is hard to find - how about an option on the context menu
similar to the "Block images from this server"?

I'm afraid they (the spammers) use way too many different servers, so that this
blocking of images of certain servers wouldn't be very effective.  Often they
even use several servers in one spam message for downloading the infamous 1-px
with unique url.  This way they are more certain that the one of servers is
still up and running by the time you read the message.

The other problem is that the moment you block images from a certain server, the
damage is already done... your email address is already verified and will be
sold for very good money.

If changing the default is not an option (which I understand: to the average
user features are more important than security, and especially than privacy)
then I think the pop-up (with a warning why remote pictures are bad for privacy)
would be the best option...

Cheers,
Chris.
No, what I meant was a new entry that isn't currently on the context menu sown
for images in email, effectively setting the preference that is so tricky to
find, or possibly just taking you to the preference dialog.  That would enable
most people who want remote images blocked to do it.  Certainly putting this on
a right-click on windows is obvious enough, I don't know about other OS's.

Something else that should affect the thinking on this issue is the
spam-blocking functionality being developed.  One of the features is that email
classified as spam does not get HTML-rendered, hence spam images are never
displayed while legitimate images are still shown.
Looks like a dupe of bug 28327
Depends on: 37983
Hardware: PC → All
the reasoning behind this bug-report sounds like bug 28327 and probably a dozen
similar bugs. But i disagree the default should be to disable image loading in
mail. If it is hard to find how to turn the ability off, that is quite another
problem. And if it's really so hard, and this bug should be accepted: a "fix"
would likely spawn a ton of bug-reports. Most users expect images to load.
I vote a resolution of wontfix.
I concur with the wontfix. Privacy concerns, while important, must be balanced
with real and perceived usability concerns. The vast majority of our users
expect images to load in mail. CCing Ben Bucksch, he produces a "high-privacy"
Mozilla distribution called Beonex, and he may be interested in making this
change in his distribution.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Thanks, Mitch, for the cc. :-)

This is already fixed in Beonex Communicator, and in addition to that Simple
HTML is used by default.
Verified wontfix.
Status: RESOLVED → VERIFIED
Hotmail.com with its 110,000,000 users has recently started to disable remote
images by default. If the typical Hotmailer can stand it, than definitely most
Mozilla users can too. I'm quite sure that Outlook 2003 also do this by default.

Please reopen this bug, it actively helps spammers target our userbase.

Prog.
Reopening, I agree with last comment. Hotmail may just give enough reason for
legitimate senders to stop sending external image references.
Status: VERIFIED → UNCONFIRMED
Resolution: WONTFIX → ---
confirm, over to mscott
Assignee: security-bugs → mscott
Status: UNCONFIRMED → NEW
Ever confirmed: true
As much as I dearly want this default change to happen, it should only happen
when there is easily accessible UI for making these images show up again.
 - spam
 - note
 - ad-filled but otherwise wanted newsletter
 - spam
 - mail from friend with pictures

Currently if I've turned off images in mail when I get to mail 5 I have to dig
into preferences, flip the pref, reload the mail, then go back into preferences
and turn off images before skimming the rest of my box. It's just too painful to
inflict on people by default.

In otherwords we need a mail equivalent to browser RFE bug 61710. Not sure where
you'd get the real estate for such a button in mail, maybe a View menu item
(with a hotkey, of course).
> - mail from friend with pictures

Does your friend send you mails with images lying on a webserver, but embedded
per HTML in the mail, no clickable URL/link?
It was a hypothetical example, friends usually send links. But I do get the
occasional mail where I want to see the images and it's a PITA. I tend to get
more of these from less internet-savvy family members sending me something
they've found. I'm guessing they more closely approximate the general public
than my friends, that they want to see these kinds of things, and that they
wouldn't put up with the PITA of turning images on and off -- they'd curse
Mozilla and turn them on permanently. Then what good has the setting done? The
very people who need the most protecting are right back in the current
situation, and there aren't enough fewer imageless mail receivers (on our part,
Hotmail is another story) to encourage senders to skip the images.

Are you honestly arguing against an obvious button to load images in an
individual mail? Or second best at least a top-level View-menu item? It would
simply be much better UI for this feature.
> Are you honestly arguing against an obvious button to load images in an
> individual mail?

No, depending on how it's implemented (e.g. only appearing, if images are
actually blocked for the mail you're viewing).

My point was rather that the case you mentioned probably doesn't exist in
practice or is very rare. The images you want to see most are those sent by
individuals to you (or a small group), and they usually don't upload images to a
webserver and embed img references to that, but either attach the images to the
mail or create a webpage and textually link to the page. The only problematic
cases I know are commercial mailings (which hopefully now learn better with
hotmail switching) and maybe when people do Send Page, depending on that
implementation.
I just wanted to add that I agree image loading should be disabled by default,
and say that I a "Load Images" button should be implemented, the same way
Hotmail does.

Hotmail messages containing remote images just have a line at the top: "To help
protect your privacy (more info) Hotmail blocked images in this message. Show
images once  | Always show from this sender"  Mozilla could have a similar line
added to the header pane to the effect of "This message contains remote images"
with a "Load" button.

Another idea, the first time you load a message containing remote images, a
dialog could pop up saying:

This message contains images loaded from a remote server.  These images can be
used by spammers to verify your email address.  Do you want to load images from
this server?
[x] Always block remote images
[ ] Always report when a message contains remote images
Yes / No

The browser already does this for, e.g. submitting form data.  I see no reason
why this (by default) one-time popup should be a problem.

Incidentally, images in this message should refer to all forms of
content/css/iframes/whatever.  Thoughts?  I now realize this all should be in a
separate RFE. :)
*** Bug 218395 has been marked as a duplicate of this bug. ***
Hello, 
 
Sorry for adding a comment, but I consider the current unsafe situation a 
showstopper.  
 
Mozilla claims to be a safe e-mail client. The default to read remote images 
from e-mail and news message contradicts this. Now that spam comes everyday to 
nearly everybody, all mozilla beginners get their adress validated on 
spammers' database, which should never happen with a client that claims being 
safe. 
 
Even advanced user get caught. I consider myself an advanced Unix user. I use 
mozilla at different places (4 at the moment). In some situations it is better 
than e.g. kmail. Until mozilla can use a roaming profile stored on an IMAP 
server, I (and many others) have to manually switch image loading to off from 
all places (and re-declare accounts etc...) only to realize some time later 
that I forgot to turn off remote images on this workplace. 
 
I consider comment #19 the best compromise : like submitting unencrypted 
forms, remote connections spawned by unsafe content is of high enough 
importance to trigger a question to the user. 
http://bugzilla.mozilla.org/show_bug.cgi?id=188476#c19 
 
*Remember that in any bigger-than-trivial software, the vast majority of users 
run with default settings.* 
 
This is an important and daily issue for many users. 
 
Thank you for your attention.
Product: MailNews → Core
I also find it a nuisance that I have to turn off remote images everytime I configure a mail account. I'd even like to turn off images sent as attachments as well, eg. given all the recent and not so recent wave of bugs in image processing  software that lead to execution of (unwanted) code.

The fail-safe method should be to have this option _OFF_, and display a big warning to the user when he gets an email that wants to load a remote image, asking if he wants to allow it this time, from this server, or always, before
any URL is followed, and before any image is displayed.

Voting for this bug.
Ian, WONTFIX?  similar to Bug 289200.
Assignee: mscott → nobody
QA Contact: junruh → security
I think the world has changed a lot since when filed and argued, in favor of fixing this bug. Spam is the majority of mail, and the only real legitimate use of remote images is advertizing mails, but even then often with webbugs.

I think it's time to change the default to disable any remote content.
Am I confused or is this already fixed?
With Thunderbird, I see no GUI pref anymore.
In about:config, I see
mailnews.message_display.disable_remote_image   true (default)
mailnews.message_display.disable_remote_images.useWhitelist   false (user)
I see seamonkey hasn't changed to thunderbird's model, noted at http://kb.mozillazine.org/Privacy_basics_(Thunderbird)

not a "core" bug?
Product: Core → MailNews Core
So the desired outcome here is that SeaMonkey should have disable_remote_image default to true, and have UI to enable remote images for a particular message, and to enable remote images for a particular sender from then on? Yay, WFM (since 2006 and 2005, respectively).
Status: NEW → RESOLVED
Closed: 22 years ago16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.