smelendez3 hours ago
I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.
Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.
mzi2 hours ago
I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.
The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.
I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.
I resigned shortly afterwards.
mmh00002 hours ago
Some of the big providers already do this, notably Apple and Gmail:
BobbyTables227 minutes ago
That still provides “human” vs “bot” feedback to the sender.
An automated system processing emails isn’t going to be fetching images or rendering attached SVGs.
Saris2 hours ago
I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.
jszymborski13 minutes ago
Too bad CORS doesn't fix this. It would be awesome to be able to sandbox a page completely.
Avamander2 hours ago
SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. Something that would handle SVG, CSS, HTML, everything.
Galanwe3 hours ago
Nice catch!
I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.
jonathanlydall2 hours ago
Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.
I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.
Happens a couple of times per month for the our small company, no false positives yet.
michaelteter2 hours ago
Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).
nullcathedralop2 hours ago
Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.
michaelteteran hour ago
Yes, those were the suggestions which made me think there was a disparity between the About and the posts (or lack thereof).
Best of luck to you on your blog. I would suggest you also add a "welcome to my blog" post where you give a little background about why you're writing the blog and what kinds of content readers can hope to see in the future. There's no denying that you have little content, so you might as well make it clear to readers _why_ that is. Plus, it sets them up to be interested to see what's coming next.
nullcathedralopan hour ago
Good suggestion! Thanks. I'll go write up a welcome post soon :)
stragies3 hours ago
Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched
nullcathedralop2 hours ago
Author here! I have looked at Thunderbird. I'll go and look at some others as well, should have probably done that earlier.
zimpenfish2 hours ago
I wouldn't vouch 100% for my PHP understanding but it looks like SnappyMail removes `<svg>` elements entirely (`BuildHtml` in `snappymail/v/2.38.2/app/libraries/MailSo/Base/HtmlUtils.php`)
[deleted]an hour agocollapsed