Closed
Bug 1338905
Opened 7 years ago
Closed 7 years ago
Remote content exceptions by From address can be misused by spammers
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kgrant3, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Received spoofed e-mail from "ship-confirm@amazon.com" (showed "Amazon.com" in the From column). Actual results: Loaded images as though it was a legitimate Amazon email - signalling to spammer that my email address was real and live. Expected results: Should NOT load images, as it was not actually from amazon.com.
Reporter | ||
Updated•7 years ago
|
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Updated•7 years ago
|
Group: mail-core-security
Comment 1•7 years ago
|
||
That all depends on how you've set this up. Normally remote content is blocked. By can unblock it by sender and by image origin. Say you have configured all images in messages from ship-confirm@amazon.com to always show. Then all images will also show when the e-mail is spoofed and indeed *not* from Amazon. That's why unblocking by sender is not a very safe option. The better option is to unblock by origin. In case of Amazon that comes down to a few URLs you need to accept.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Summary: Image-loading options hacked → Remote content exceptions by From address can be misused by spammers
Comment 2•7 years ago
|
||
Magnus, I suggested in bug 1193200 to remove the unblocking by sender.
You need to log in
before you can comment on or make changes to this bug.
Description
•