Roundcube Webmail: SVG feImage bypasses image blocking to track email opens(nullcathedral.com)
79 points by nullcathedral 4 hours ago | 8 comments
smelendez 2 hours ago
I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.

Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.

mzi 2 hours ago
I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.

The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.

I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.

I resigned shortly afterwards.

mmh0000 2 hours ago
Some of the big providers already do this, notably Apple and Gmail:

https://www.litmus.com/blog/gmail-prefetching-images

BobbyTables2 52 minutes ago
That still provides “human” vs “bot” feedback to the sender.

An automated system processing emails isn’t going to be fetching images or rendering attached SVGs.

pixl97 9 minutes ago
I mean I don't think that's exactly true in the age of LLMs.
gigel82 8 minutes ago
That is still signal that the email address is valid. I'd prefer something like the server immediately sending a SMTP 550 5.1.1 (unknown recipient error), for anything that's immediately recognized as spam (or marked as spam in the past by the user). That gives no signal at all and might even persuade some scammers to remove your email address from their list.
Saris 2 hours ago
I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.
jszymborski 38 minutes ago
Too bad CORS doesn't fix this. It would be awesome to be able to sandbox a page completely.
Avamander 2 hours ago
SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. Something that would handle SVG, CSS, HTML, everything.
Galanwe 3 hours ago
Nice catch!

I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.

jonathanlydall 2 hours ago
Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.

I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.

Happens a couple of times per month for the our small company, no false positives yet.

michaelteter 2 hours ago
Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).
nullcathedral 2 hours ago
Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.
michaelteter 1 hour ago
Yes, those were the suggestions which made me think there was a disparity between the About and the posts (or lack thereof).

Best of luck to you on your blog. I would suggest you also add a "welcome to my blog" post where you give a little background about why you're writing the blog and what kinds of content readers can hope to see in the future. There's no denying that you have little content, so you might as well make it clear to readers _why_ that is. Plus, it sets them up to be interested to see what's coming next.

nullcathedral 1 hour ago
Good suggestion! Thanks. I'll go write up a welcome post soon :)
stragies 3 hours ago
Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched
nullcathedral 2 hours ago
Author here! I have looked at Thunderbird. I'll go and look at some others as well, should have probably done that earlier.
zimpenfish 2 hours ago
I wouldn't vouch 100% for my PHP understanding but it looks like SnappyMail removes `<svg>` elements entirely (`BuildHtml` in `snappymail/v/2.38.2/app/libraries/MailSo/Base/HtmlUtils.php`)
1 hour ago