User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Received spoofed e-mail from "firstname.lastname@example.org" (showed "Amazon.com" in the From column). Actual results: Loaded images as though it was a legitimate Amazon email - signalling to spammer that my email address was real and live. Expected results: Should NOT load images, as it was not actually from amazon.com.
That all depends on how you've set this up. Normally remote content is blocked. By can unblock it by sender and by image origin. Say you have configured all images in messages from email@example.com to always show. Then all images will also show when the e-mail is spoofed and indeed *not* from Amazon. That's why unblocking by sender is not a very safe option. The better option is to unblock by origin. In case of Amazon that comes down to a few URLs you need to accept.
Magnus, I suggested in bug 1193200 to remove the unblocking by sender.