218627 - MailNews client downloads remote content such as ShockwaveFlash embedded in HTML mails

Status: RESOLVED DUPLICATE of bug 28327

(MailNews Core :: Security, enhancement)

Description

[Kas Robson]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827

Spam containing the HTML...

<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0"
WIDTH="540" HEIGHT="275" id="form" ALIGN=""><PARAM NAME="movie" 
VALUE="http://www.cooltvoffers.net/order/flash/iv/ft/form-ft01.swf?Host=cooltvoffers&clid=1&gid=FT01&CID=103463"><PARAM
NAME="menu" VALUE="false"><PARAM NAME="quality" VALUE="high"><PARAM
NAME="bgcolor" VALUE="#FFFFFF"><EMBED
src="http://www.cooltvoffers.net/order/flash/iv/ft/form-ft01.swf?Host=cooltvoffers&clid=1&gid=FT01&CID=103463"
quality="high" 
bgcolor="#FFFFFF" WIDTH="540" HEIGHT="275" NAME="form" ALIGN=""
TYPE="application/x-shockwave-flash"
PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED></OBJECT>

...displays the damn movie, even though I have ticked the "Do not load remote
images in mail and newsgroup messages" (presumeably because it is simply
throwing away <img>...</img> tags).

However, any download can be used by spammers to verify that the mail is being
received by an active mail account. I would have though that this option should
be replaed (or added to) with a "don't download *any* content..." option.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Mats Palmgren (inactive)]

Edit > Preferences > Advanced > Scripts & Plugins 

disable plugins in mail.

If you want to disable all remote loading (which includes plugins)
this is bug 28327

*** This bug has been marked as a duplicate of 28327 ***