Inadvertent OS X Mail Loading of Images in SPAM
 

DarthNull.org • About Ⓘ

Hello! I'm David Schuetz.
This is where I ramble about...stuff.

Inadvertent OS X Mail Loading of Images in SPAM

bugosxsecurity

I just noticed an interesting bug. I got a SPAM email (which I fortunately get far fewer of today because of SpamHero). As I usually do when a SPAM leaks through, I forwarded it to SpamHero so they can use it to improve their filters.

Less than a minute after forwarding the email, I received another copy of virtually the same SPAM. Dutifully, I forwarded it again, but this time I noticed something strange: Though the Mail application identified the email as SPAM (and thus refused to load embedded images), the email as incorporated into the forwarding message window did load the images.

Inconsistent avoidance of SPAM images

It’s a commonly-repeated security recommendation that one shouldn’t load images by default when reading email, especially for suspicious messages, as the URLs for those images may be used for multiple potentially nefarious purposes. For one, they could use that to verify “Yes, this email address worked!” and then send more SPAM your way. Obviously we don’t want that to happen.

The irony is that the very act of forwarding the message to the filtering service may in fact be hurting, rather than helping. In this case, the URL was exactly the same in both emails, and didn’t appear to be uniquely created to help track which messages were successfully delivered.

Unfortuantely, I’m not sure there’s an easy way to prevent this from happening (other than Apple changing the app’s behavior).