Image Blocking failed to block this image in a spam email.

RESOLVED INCOMPLETE

Status

Thunderbird
Mail Window Front End
--
major
RESOLVED INCOMPLETE
13 years ago
9 years ago

People

(Reporter: Alex, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: closeme 2009-03-12)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0.2

I recieved a spam email with a remote image that was not blocked by Thunderbird.
I think it's because the HTML used BASE HREF="..." then a relative path in the
IMG tag.

Reproducible: Always

Steps to Reproduce:
1. Recieve this email
2. Look at email without clicking "Show Images" button.
Actual Results:  
I could see the picture.

Expected Results:  
I should not have seen the picture without clicking "Show Images"
(Reporter)

Comment 1

13 years ago
Created attachment 180306 [details]
This is the email with the image that got through.
I could not reproduce: the image was correctly blocked when I viewed this mail.
I tried on Windows, not Linux, but I can't imaging that makes a difference.
Assignee: dveditz → mscott
Component: Security → Mail Window Front End
QA Contact: thunderbird
Whiteboard: wfm? try on linux
(Reporter)

Comment 3

13 years ago
Almost forgot. I'm using TBird "version 1.0 (20050205)" (according to Help Box)

Updated

13 years ago
Attachment #180306 - Attachment mime type: application/octet-stream → message/rfc822

Comment 4

13 years ago
The image was blocked for me with TB 1.0.2 and TB 1.0+0603, Win2K.

Alex, are you sure you haven't added the sender to your whitelist?
(Reporter)

Comment 5

13 years ago
I haven't intentionally added anyone to my whitelist.

Comment 6

13 years ago
I can confirm this bug. I am using Thunderbird Version 1.0.6 on a system running
Windows XP. (No service packs installed; I'm switching to Ubuntu right next
thing tomorrow :) ). 
The bug can be reproduced reliably - Heise Security, a German IT company, has a
site which can be used to test some common privacy/security gaps in browsers and
e-mail programs. 
By visiting this site 
http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=webbug
you can have a simulated web-bug sent to via e-mail. (Sorry, I know it's in German)
Upon entering you mail address, they'll send a mail asking for confirmation, and
after that send the mail containing the image.
Despite having "block images" activated, the image is shown when displaying the
message.

The mail contains the following enlightening text (I'll translate):
This is the requested testmail containing the web-bug. It contains the order to
remotely load the heise-Security-Logo from our server. 
(snip bit in the middle)
Mozilla Thunderbird currently contains a bag which causes remote loading of
images, if they're embedded as the background of a page or a (table?
spreadsheet?), even if block image is selected.
"Dies ist die angeforderte Testmail mit dem Web-Bug. Sie anthält die Anweisung,
das heise-Security-Logo von unserem Server nachzuladen. 
Mozilla Thunderbird enthält derzeit einen Bug, dass Bilder nachgeladen werden,
wenn sie als Hintergrund der Seite oder einer Tabelle eingebunden sind, obwohl
das Nachladen abgeschaltet ist."

Since this feature can be used to positively identify live e-mail accounts, I
think it is highly desirable to get rid of it. After all, Thunderbird is
supposed to help me reclaim my mailbox, and not fill it with additional spam.

Sorry if I'm making a mess of this or causing unnecessary trouble, but this is
my first bug report. I tried to follow the guidelines as well as I could.

Comment 7

13 years ago
Thanks for the pointer to that interesting tool.  I tried it out (under Win2K) 
but:
 - With TB 1.0+0806 (this is a pre-branch trunk build) the image was blocked 
until I clicked the "Show Images" button.

 - Then, with TB 1.0.6, the image was blocked (only the 'alt' text was 
displayed).  However, I did not get the "images blocked" toolbar or the "show 
images" button when I looked at the message.  Perhaps this is because I'd 
already clicked the Show Images button for this sender, but nothing containing 
heise.de appears in my address book; if there's another whitelist somewhere, I 
don't know about it.

Do either of you (Alex or Kai) have extensions installed that might affect this? 
Try running TB in Safe Mode and see if the symptom still occurs.

Comment 8

13 years ago
Hmm... I'm using the German Version, Thunderbird 1.0.6 (DE); the only extensions
I've installed are Signature Switch 0.8 and Enigmail (DE)0.92.0.

Comment 9

13 years ago
Aaargh... I played around with the message settings for HTML and block images,
and now the image gets blocked.
Right now I can no longer reproduce the bug. But why? 

Comment 10

13 years ago
This may not be platform-dependent: bug https://bugzilla.mozilla.org/show_bug.cgi?id=257302 on Win XP looks (to me) the same, and a spam message (I attached to that bug) is unblocked today with 1.0.7.
QA Contact: front-end

Comment 11

10 years ago
related or even more to bug 336022 derived from bug 179568
or even bug 280716 (bout single image spam or image spam ..)

Updated

10 years ago
Assignee: mscott → nobody
WFM - using Kaie's nice german tool with TB 3.0b2 - default settings I did not touch any of these privacy/HTML settings on tis machine. AS this bug is old. I think we should close it, objections ?
Whiteboard: wfm? try on linux → closeme 2009-03-12
RESO INCO due to lack of response to last question. If you feel this change was made in error, please respond to this bug with your reasons why.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.