How are spammers getting images past my no-image default?
March 16, 2023 6:53 PM Subscribe
I use Thunderbird as my PC mail client. It doesn't allow images to load by default, and I have to allow image loading to let images into my browser. Recently, a lot of spam images have started appearing in my email, with no option to block the remote source. How do I stop this?
I'm partly annoyed because images are getting through, and also because as I understand it, image loading can at the very least ping that the email has been opened (even in preview) and the address is active, leading to even more spam.
I've put the full source of the email here: https://pastebin.com/PcgVffy7
An image of the email is here (now marked as spam, because I did that manually in Thunderbird): https://imgur.com/a/CdZZWEj
Thunderbird doesn't let me view mail as HTML natively, so I can't look at it that way.
How is this happening, and is there something I can do to prevent it?
I'm partly annoyed because images are getting through, and also because as I understand it, image loading can at the very least ping that the email has been opened (even in preview) and the address is active, leading to even more spam.
I've put the full source of the email here: https://pastebin.com/PcgVffy7
An image of the email is here (now marked as spam, because I did that manually in Thunderbird): https://imgur.com/a/CdZZWEj
Thunderbird doesn't let me view mail as HTML natively, so I can't look at it that way.
How is this happening, and is there something I can do to prevent it?
As the first answer points out, these images are displayed because they are encoded as attachments to the email.
The possibly good news is that means there is no privacy leak, because they are not being served from a remote server. They are in a sense part of the email itself.
Unfortunately there is no menu item that I know of to turn off display of this kind of attachment. If you feel brave, you can go into Settings and find the Config Editor (at the bottom of the General tab), and then find the config item called mailnews.display.html_sanitizer.drop_media and set it to false. This will prevent the display of such images, and they will show up as attachments instead.
posted by i_am_joe's_spleen at 1:01 AM on March 17, 2023 [2 favorites]
The possibly good news is that means there is no privacy leak, because they are not being served from a remote server. They are in a sense part of the email itself.
Unfortunately there is no menu item that I know of to turn off display of this kind of attachment. If you feel brave, you can go into Settings and find the Config Editor (at the bottom of the General tab), and then find the config item called mailnews.display.html_sanitizer.drop_media and set it to false. This will prevent the display of such images, and they will show up as attachments instead.
posted by i_am_joe's_spleen at 1:01 AM on March 17, 2023 [2 favorites]
View → Display attachments inline.
Not sure whether this would help in this case, because it’s not showing the attachment inline where it appears in the message, but rather because of an
posted by staggernation at 5:45 AM on March 17, 2023
Not sure whether this would help in this case, because it’s not showing the attachment inline where it appears in the message, but rather because of an
img tag in the HTML markup part of the message that references it by its Content-ID. So the html_sanitizer option BobInce mentioned seems more promising.posted by staggernation at 5:45 AM on March 17, 2023
Oops, I meant i_am_joe’s_spleen, sorry
posted by staggernation at 6:04 AM on March 17, 2023
posted by staggernation at 6:04 AM on March 17, 2023
I have a wiki in a bookmark using this.
gible, can you explain more what this is? I literally cannot parse what you wrote, and I'm not going to paste that data blob into my browser to see what happens.
posted by intermod at 8:34 AM on March 17, 2023
gible, can you explain more what this is? I literally cannot parse what you wrote, and I'm not going to paste that data blob into my browser to see what happens.
posted by intermod at 8:34 AM on March 17, 2023
I use Earthlink for my email and they have the option to turn off all images in email--I haven't had a problem with anything slipping through. They have a robust spam-blocker and I have it set pretty high, so I get very little spam anyway. Emails from folks not on my white list need to be approved before I see them.
posted by agatha_magatha at 9:06 AM on March 17, 2023
posted by agatha_magatha at 9:06 AM on March 17, 2023
Maybe WarnAttachments extension?
https://addons.thunderbird.net/en-us/thunderbird/addon/warnattachment/
posted by kschang at 1:57 PM on March 17, 2023
https://addons.thunderbird.net/en-us/thunderbird/addon/warnattachment/
posted by kschang at 1:57 PM on March 17, 2023
>gible, can you explain more what this is? I literally cannot parse what you wrote, and I'm not going to paste that data blob into my browser to see what happens.
Intermod; Yes, yes I can.
Like the image in the email, the webpage (the 'wiki') in the link is base64 encoded. The first part data:text/html;base64, tells the browser what it is and how it's encoded. After the comma seperator is the data itself. You can decode it with any online base64 decoder. I use these tools a lot. Simply put the data (everything from PGh to D4=) in the top textarea, click the decode button and the decoded data appears in the bottom textarea. Feed it through the HTML beautifier and you get this. The javascript in the head makes the div #c editable - that how most browser-based WYSIWYG editors work, and the javascript in the link recodes the (updated) html into a new link. Browsers don't let you use data encoded links (e.g. if you try to click on the one in my comment nothing will happen) so the javascript in the link that would normally change the page you're looking at (the window.location=) instead just displays the (new) link as text that you can copy and paste into the address bar to use. You can however use them from, and save them as, bookmarks/favourites/whatever you want to call them.
As for why...it's a folly in progress. I made this extension a long time ago, and by turning that on and visiting the recoded page, it will update the bookmark that the 'wiki' is saved in. I have other code to add that also zips up the encoded page. As it is, I could simply use data:text/html;charset=utf-8 and just have the html code raw in the link and it would be 25% shorter. That requires url-encoding various characters though.
posted by gible at 6:30 PM on March 24, 2023
Intermod; Yes, yes I can.
Like the image in the email, the webpage (the 'wiki') in the link is base64 encoded. The first part data:text/html;base64, tells the browser what it is and how it's encoded. After the comma seperator is the data itself. You can decode it with any online base64 decoder. I use these tools a lot. Simply put the data (everything from PGh to D4=) in the top textarea, click the decode button and the decoded data appears in the bottom textarea. Feed it through the HTML beautifier and you get this. The javascript in the head makes the div #c editable - that how most browser-based WYSIWYG editors work, and the javascript in the link recodes the (updated) html into a new link. Browsers don't let you use data encoded links (e.g. if you try to click on the one in my comment nothing will happen) so the javascript in the link that would normally change the page you're looking at (the window.location=) instead just displays the (new) link as text that you can copy and paste into the address bar to use. You can however use them from, and save them as, bookmarks/favourites/whatever you want to call them.
As for why...it's a folly in progress. I made this extension a long time ago, and by turning that on and visiting the recoded page, it will update the bookmark that the 'wiki' is saved in. I have other code to add that also zips up the encoded page. As it is, I could simply use data:text/html;charset=utf-8 and just have the html code raw in the link and it would be 25% shorter. That requires url-encoding various characters though.
posted by gible at 6:30 PM on March 24, 2023
« Older Other people’s baking: delicious and dizzying | What would cause someone to suddenly have a lot of... Newer »
This thread is closed to new comments.
posted by Nonsteroidal Anti-Inflammatory Drug at 7:01 PM on March 16, 2023 [10 favorites]