Recent searches
Search options
By default, #Thunderbird automatically blocks images in your emails from being displayed -- because many of those images may contain tracking code.
(Sometimes these images are tiny "tracking pixels" you may not even see).
Take your protection one step further by installing #uBlock Origin to block all kinds of unwanted content in your RSS feeds -- it's now an official Thunderbird Add-on: https://addons.thunderbird.net/en-US/thunderbird/addon/ublock-origin/
(EDITED FOR CLARITY)
@thunderbird why would any image viewing software treat bytes in an image stream as code and then execute it? Really, I'm asking how do "tracking pixels" work?
(:KaiE) @kaiengert Thanks. So it's considered a "good thing" in some circumstances and the clients which render the data streams as images look for these little packets of data and execute them? Bonkers. Personally speaking I'd like image rendering software which did just that, then we wouldn't ever need to block these little bits of crap.
@JohnDal the point is that images referenced in an email can be stored on a server that the sender of email controls, which allows the sender of the email to see (in log files) whenever an image was loaded. If the sender of the email uses a different image address for each email recipient, and the sender kept a list of email addresses and related image addresses, then the sender can learn which email recipient has loaded an image, and thereby learn that the email was read.
@kaiengert Thanks Kai. After a working life writing software, this all FEELS very flaky. I'll have a read up on it I think.
@JohnDal @thunderbird they are not: usally tracking pixels are embedded as white/transparent images by 1x1 size embedded in HTML mail body using an <img> tag, and therefore they are loaded via a remote URL. Now, this URL is usually associated with a tracking code of some sort; let's say the message contains something like this: <img src="https://my.tracking.com/whitepixels/tracking.png?messageCode=UNIQUEID"> : everytime an email client loads the message, it can request the image from the remote source, therefore exposing informations about the user and effectively tracking the message.
@JohnDal @thunderbird I think TB botched the explanation. The images do not likely contain code. There was a jpg vuln at one point where malicious code in a jpg got executed, but my understanding of tracking pixels is that an image 1 pixel big is on a server with a filename that is /unique to your email msg/. So simply fetching the file is enough to tell the server you opened the msg.
@thunderbird @JohnDal So if my understanding is correct, i don’t think a tracking image can be distinguished from a legit image b/c there’s no way to know if the filename is unique to the msg you received & no way to know if the server is tracking fetches. IMO, mutt offers the best protection. it shows only text.
@JohnDal @thunderbird In principle, you should be able to safely show images that are included in the msg payload while refusing to fetch any msgs from the cloud. Not sure if any MUAs work that way though. It sounds like TB is relying on uBlock to decide what to fetch. But in that case it could only be making guesses based on reputation. But plz correct me if I’m wrong.
@thunderbird @JohnDal #Mutt can be configured to call a /sandboxed/ gui browser. The sandbox can be #firejail with the --net=none option. So mutt could send feed the attached images to the browser but force the browser to run offline. This would give you a way to see all the definitively harmless images while nixing all fetched images to ensure no tracking image exploits you.
@koherecoWatchdog @thunderbird
Now that makes sense. Thanks!
@JohnDal @thunderbird in HTML emails, loading the image as an image means making a request to the server where the image is hosted, and the request can be used to infer information about the user's action on the email (that it was opened at a certain time from a certain IP at minimum, and they often include query parameters to more granularly associate the action to things like user profiles and ad campaigns).
@JohnDal@mastodon.green @thunderbird@mastodon.online tldr its usually just <img src="example.com/tracking.gif?mail_id=bunch_of_data_goes_here">
@JohnDal@mastodon.green @thunderbird@mastodon.online web server gets the data and reports it back to the mailer to show you read the email, usually done to see how many people read promotional emails