181338 - Mail still executes remote Flash and sound files in spam messages

Status: VERIFIED DUPLICATE of bug 28327

(SeaMonkey :: MailNews: Account Configuration, enhancement)

Description

[Doug Holton]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1) Gecko/20020826

When viewing a received HTML email, Mozilla executes remote files such as Flash
programs and sound files even if the "do not load remote images" setting is
checked in the preferences.
Then enables spammers to track who receives their email even though remote image
loading is disabled.  It also means that Mozilla will automatically play a sound
file out load when viewing an email.
Could this setting be changed to block Mail from making any automatic
connections to remote servers other than one's own mail server?

Reproducible: Always

Steps to Reproduce:
1. Read an HTML email message with embedded sounds or Flash.
2.
3.

Actual Results:  
Sounds or movies are automatically downloaded from a remote server and played.

Expected Results:  
Not play any remote files, animations, or sounds.

This is the body of the spam message that caused this:

<HTML><BODY BGCOLOR=3D#FFFFFF><object classid=3D"clsid:D27CDB6E-AE6D-11cf-9=
6B8-444553540000" codebase=3D"http:/download.macromedia.com/pub/shockwave/=
cabs/flash/swflash.cab#version=3D5,0,0,0" width=3D"18" height=3D"18"> <par=
am name=3Dmovie value=3D"http://www.OurOneRate.com/ad/newsound.swf"><param=
 name=3Dquality value=3Dhigh><embed src=3D"http://www.FamilyOneRate.com/ad=
/newsound.swf" quality=3Dhigh pluginspage=3D"http:/www.macromedia.com/shoc=
kwave/download/index.cgi?P1_Prod_Version=3DShockwaveFlash" type=3D"applica=
tion/x-shockwave-flash" width=3D"18" height=3D"18"></embed></object><TABLE=
 WIDTH=3D600 BORDER=3D0 CELLPADDING=3D0 CELLSPACING=3D0 align=3D"center"><=
TR><TD COLSPAN=3D3><IMG SRC=3D"http://www.OneRateNow.com/ad/images/long-di=
stance_01.gif" WIDTH=3D600 HEIGHT=3D57></TD><TD><IMG SRC=3D"http://www.Our=
OneRate.com/ad/images/spacer.gif" WIDTH=3D1 HEIGHT=3D57></TD></TR><TR><TD>=
<IMG SRC=3D"http://www.FamilyOneRate.com/ad/images/long-distance_02.gif" W=
IDTH=3D378 HEIGHT=3D31></TD><TD COLSPAN=3D2 ROWSPAN=3D2><IMG SRC=3D"http:/=
/www.OneRateNow.com/ad/images/long-distance_03.gif" WIDTH=3D222 HEIGHT=3D2=
18></TD><TD><IMG SRC=3D"http://www.OurOneRate.com/ad/images/spacer.gif" WI=
DTH=3D1 HEIGHT=3D31></TD></TR><TR><TD ROWSPAN=3D2><IMG SRC=3D"http://www.F=
amilyOneRate.com/ad/images/long-distance_04.gif" WIDTH=3D378 HEIGHT=3D282>=
</TD><TD><IMG SRC=3D"http://www.OneRateNow.com/ad/images/spacer.gif" WIDTH=
=3D1 HEIGHT=3D187></TD></TR><TR><TD><IMG SRC=3D"http://www.OurOneRate.com/=
ad/images/long-distance_05.gif" WIDTH=3D69 HEIGHT=3D95></TD><TD><map name=3D=
"FPMap0"><area href=3D"https://FamilyOneRate.com" shape=3D"rect" coords=3D=
"0, 0, 152, 94"></map><IMG SRC=3D"http://www.OneRateNow.com/ad/images/long=
-distance_06.gif" WIDTH=3D153 HEIGHT=3D95 usemap=3D"#FPMap0" border=3D"0">=
</TD><TD><IMG SRC=3D"http://www.OurOneRate.com/ad/images/spacer.gif" WIDTH=
=3D1 HEIGHT=3D95></TD></TR><TR><TD COLSPAN=3D3><IMG SRC=3D"http://www.Fami=
lyOneRate.com/ad/images/long-distance_07.gif" WIDTH=3D600 HEIGHT=3D53></TD=
><TD><IMG SRC=3D"http://www.OneRateNow.com/ad/images/spacer.gif" WIDTH=3D1=
 HEIGHT=3D53></TD></TR></TABLE><div align=3D"center"><b><font face=3D"Verd=
ana, Arial, Helvetica, sans-serif" size=3D"1">Please <a href=3D"http://opt=
-out.opmnet.net">click here</a> if you wish to be removed from this mailin=
g list</font></b></div></BODY></HTML>

Comment 1

[Boris Zbarsky [:bzbarsky]]

Edit > Preferences > Advanced > Scripts & Plugins 

disable plugins in mail.  Why the mail people put this pref there, I have no clue.

Comment 2

[Matthias Versen [:Matti]]

You can disable plugins for mailnews and if you want to disable all remote
loading (which includes plugins) you mean bug 28327

*** This bug has been marked as a duplicate of 28327 ***

Comment 3

[Vedran Miletic]

v