2.49 KB, message/rfc822
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0.2 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050404 Firefox/1.0.2 I recieved a spam email with a remote image that was not blocked by Thunderbird. I think it's because the HTML used BASE HREF="..." then a relative path in the IMG tag. Reproducible: Always Steps to Reproduce: 1. Recieve this email 2. Look at email without clicking "Show Images" button. Actual Results: I could see the picture. Expected Results: I should not have seen the picture without clicking "Show Images"
I could not reproduce: the image was correctly blocked when I viewed this mail. I tried on Windows, not Linux, but I can't imaging that makes a difference.
Assignee: dveditz → mscott
Component: Security → Mail Window Front End
QA Contact: thunderbird
Whiteboard: wfm? try on linux
Almost forgot. I'm using TBird "version 1.0 (20050205)" (according to Help Box)
Attachment #180306 - Attachment mime type: application/octet-stream → message/rfc822
The image was blocked for me with TB 1.0.2 and TB 1.0+0603, Win2K. Alex, are you sure you haven't added the sender to your whitelist?
I haven't intentionally added anyone to my whitelist.
I can confirm this bug. I am using Thunderbird Version 1.0.6 on a system running Windows XP. (No service packs installed; I'm switching to Ubuntu right next thing tomorrow :) ). The bug can be reproduced reliably - Heise Security, a German IT company, has a site which can be used to test some common privacy/security gaps in browsers and e-mail programs. By visiting this site http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=webbug you can have a simulated web-bug sent to via e-mail. (Sorry, I know it's in German) Upon entering you mail address, they'll send a mail asking for confirmation, and after that send the mail containing the image. Despite having "block images" activated, the image is shown when displaying the message. The mail contains the following enlightening text (I'll translate): This is the requested testmail containing the web-bug. It contains the order to remotely load the heise-Security-Logo from our server. (snip bit in the middle) Mozilla Thunderbird currently contains a bag which causes remote loading of images, if they're embedded as the background of a page or a (table? spreadsheet?), even if block image is selected. "Dies ist die angeforderte Testmail mit dem Web-Bug. Sie anthält die Anweisung, das heise-Security-Logo von unserem Server nachzuladen. Mozilla Thunderbird enthält derzeit einen Bug, dass Bilder nachgeladen werden, wenn sie als Hintergrund der Seite oder einer Tabelle eingebunden sind, obwohl das Nachladen abgeschaltet ist." Since this feature can be used to positively identify live e-mail accounts, I think it is highly desirable to get rid of it. After all, Thunderbird is supposed to help me reclaim my mailbox, and not fill it with additional spam. Sorry if I'm making a mess of this or causing unnecessary trouble, but this is my first bug report. I tried to follow the guidelines as well as I could.
Thanks for the pointer to that interesting tool. I tried it out (under Win2K) but: - With TB 1.0+0806 (this is a pre-branch trunk build) the image was blocked until I clicked the "Show Images" button. - Then, with TB 1.0.6, the image was blocked (only the 'alt' text was displayed). However, I did not get the "images blocked" toolbar or the "show images" button when I looked at the message. Perhaps this is because I'd already clicked the Show Images button for this sender, but nothing containing heise.de appears in my address book; if there's another whitelist somewhere, I don't know about it. Do either of you (Alex or Kai) have extensions installed that might affect this? Try running TB in Safe Mode and see if the symptom still occurs.
Hmm... I'm using the German Version, Thunderbird 1.0.6 (DE); the only extensions I've installed are Signature Switch 0.8 and Enigmail (DE)0.92.0.
Aaargh... I played around with the message settings for HTML and block images, and now the image gets blocked. Right now I can no longer reproduce the bug. But why?
This may not be platform-dependent: bug https://bugzilla.mozilla.org/show_bug.cgi?id=257302 on Win XP looks (to me) the same, and a spam message (I attached to that bug) is unblocked today with 1.0.7.
related or even more to bug 336022 derived from bug 179568 or even bug 280716 (bout single image spam or image spam ..)
WFM - using Kaie's nice german tool with TB 3.0b2 - default settings I did not touch any of these privacy/HTML settings on tis machine. AS this bug is old. I think we should close it, objections ?
Whiteboard: wfm? try on linux → closeme 2009-03-12
RESO INCO due to lack of response to last question. If you feel this change was made in error, please respond to this bug with your reasons why.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.