Remote content exceptions by From address can be misused by spammers

RESOLVED WONTFIX

Status

Thunderbird
Security
RESOLVED WONTFIX
10 months ago
10 months ago

People

(Reporter: Kenneth Grant, Unassigned)

Tracking

45 Branch
x86_64
Windows 10

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

Received spoofed e-mail from "ship-confirm@amazon.com" (showed "Amazon.com" in the From column).


Actual results:

Loaded images as though it was a legitimate Amazon email - signalling to spammer that my email address was real and live.


Expected results:

Should NOT load images, as it was not actually from amazon.com.
(Reporter)

Updated

10 months ago
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64

Updated

10 months ago
Group: mail-core-security

Comment 1

10 months ago
That all depends on how you've set this up. Normally remote content is blocked. By can unblock it by sender and by image origin.

Say you have configured all images in messages from ship-confirm@amazon.com to always show. Then all images will also show when the e-mail is spoofed and indeed *not* from Amazon. That's why unblocking by sender is not a very safe option.

The better option is to unblock by origin. In case of Amazon that comes down to a few URLs you need to accept.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → WONTFIX
Summary: Image-loading options hacked → Remote content exceptions by From address can be misused by spammers

Comment 2

10 months ago
Magnus, I suggested in bug 1193200 to remove the unblocking by sender.
You need to log in before you can comment on or make changes to this bug.