User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Received spoofed e-mail from "email@example.com" (showed "Amazon.com" in the From column). Actual results: Loaded images as though it was a legitimate Amazon email - signalling to spammer that my email address was real and live. Expected results: Should NOT load images, as it was not actually from amazon.com.
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
That all depends on how you've set this up. Normally remote content is blocked. By can unblock it by sender and by image origin. Say you have configured all images in messages from firstname.lastname@example.org to always show. Then all images will also show when the e-mail is spoofed and indeed *not* from Amazon. That's why unblocking by sender is not a very safe option. The better option is to unblock by origin. In case of Amazon that comes down to a few URLs you need to accept.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
Summary: Image-loading options hacked → Remote content exceptions by From address can be misused by spammers
Magnus, I suggested in bug 1193200 to remove the unblocking by sender.
You need to log in before you can comment on or make changes to this bug.