I had an email in the my spam folder. I clicked on the spam folder to see what was in it, and eM Client highlighted the first email by default and the email then tried to call out to a url (malwarebytes blocked it). Why is this the default behavior? Nothing in an email should run especially if the email is in the spam folder. If anything, you should get a message saying like ‘email is trying to do X, do you want to allow it?’ I didn’t have ‘always download pictures’ or any of that set for that email. No idea how many other spam emails do that and malware didn’t catch.
That’s the point. em Client should not allow an email to do anything, especially in the spam folder. That leaves you open for all kinds of stuff. No way a spam email should be able to call out to any website or anything. You want malware/viruses. That’s how you get it, regardless of how ‘safe’ you think you are.
The setting is already there to disable loading of external content, or linking to an external address. Certainly it was there long before this thread was opened.
Go to Menu > Tools > Settings > Mail > Privacy, and choose your preference.
The first option will block all external content unless the sender is in your white-list. This is the default setting. If content is still being downloaded, check that the sender is not in the list.
Hi Gary! Does that setting prevent code hidden in the body of the email itself from executing? I still still the default behaviour could avoid all this
It actually blocked it. Here are the details of the block
And I have ‘Block Unsafe Content’ set in emClient. I don’t have this host setup as a whitelist.
The way emClient is allowing this to happen, if your malware/antivirus/firewall isn’t catching it, then they can set it up so it reports back showing it’s a valid email address, etc.
Give us an option to block all outgoing connections from a Spam email or at least give us a pop up that says ‘email is trying to connect to… allow it? Yes/No’
I wish I would have kept the email. I freaked out because the malware trigger. After I deleted it I was like, damn it… should have kept it to send in for analyzing. I have been cautious since then and when I see I have any spam emails I don’t click on the folder in eM. I just go straight to gmail since gmail doesn’t trigger the message when clicking on the folder.
Thank you for reporting it. If the option “display unsafe content” is disabled, then it shouldn’t be possible that downloading on an email body would enable “connection” to the external address. If it happens again, send me please the .eml to [email protected] and we’ll further investigate it.
The default behavior is to block unsafe content even when the message is in focus.
Or so it would seem. When I tested this function, I did not find any exception like what Scott mentions. It is difficult to say what happened with him unless some sample can be provided for eM Client to test.
Yes … but not giving focus to the message (any message) would give users the chance to empty the junk folder without viewing *any* messages - regardless of the subsequent behaviour. Or are we at cross purposes here?
So the difficulty here is the message preview. Clicking on the message in the message list, is going to display something in the preview pane. That might or might not include remote content depending on your settings. But you can turn that off.
The question then is, if that pane is not visible, will it have the same affect, i.e. retrieving content? Or will you be able to scan the message list of your Junk for those odd hams without the chance of unexpected connects to the Internet.
My testing says it is safe either way.
It does require some testing by eM Client, but for them to do that, they need a sample that ignores the privacy settings. Maybe Scott will get another.
Ideally, it would be great that if we click a folder (ie spam) it doesn’t highlight the first email (which then opens the emails). This way we can look at the emails in the spam folder and not actually have email even open.
This is the way that gmail functions. This way we can still have the message pane functionality but not trigger the email.
Gmail functionality - folder is clicked, no email is open
eMClient functionality - folder is clicked, first email is automatically opened
The scary part is if malware/firewall/antivirus doesn’t catch it, I don’t know 100% if it has code in the email.
I removed the filter for lmbcustomers, so lets hope they send me another spam email (I can’t believe I’m hoping for spam email lol)
GMail does not have a message preview pane open until you click on the message in the list, and then the list disappears leaving only the message preview. eM Client went with a different implementation.
It’s been a while since I’ve used Thunderbird, but I don’t remember this automatic focus-grabbing happening.
As to disabling the message preview panel … it appears to be a *global* function. Any chance of making it configurable on a per-folder basis (ie. manually disable on any Spam folders)? Wouldn’t that solve the problem ?>.
Or … another idea … use a hotkey to show/hide the preview panel. Is there already one, by any chance, that I’ve missed?