Why does viewing email trigger scripts? (espcially in spam folder)

I had an email in the my spam folder.  I clicked on the spam folder to see what was in it, and eM Client highlighted the first email by default and the email then tried to call out to a url (malwarebytes blocked it).  Why is this the default behavior?  Nothing in an email should run especially if the email is in the spam folder. If anything, you should get a message saying like  ‘email is trying to do X, do you want to allow it?’  I didn’t have ‘always download pictures’ or any of that set for that email.  No idea how many other spam emails do that and malware didn’t catch. 

Please correct this security issue.

I also find this default behaviour extremely annoying/disturbing.

That could simply be part of the email.  try it with other emails in that box to see if anything funny happens

That’s the point.  em Client should not allow an email to do anything, especially in the spam folder.  That leaves you open for all kinds of stuff.  No way a spam email should be able to call out to any website or anything.  You want malware/viruses.  That’s how you get it, regardless of how ‘safe’ you think you are.

Any chance of a fix for this crazy behaviour??? It’s been five months now.

There could be hidden code or scripts that trigger when the email is viewed. It really is a MAJOR security problem.

The setting is already there to disable loading of external content, or linking to an external address. Certainly it was there long before this thread was opened.

Go to Menu > Tools > Settings > Mail > Privacy, and choose your preference. 

The first option will block all external content unless the sender is in your white-list. This is the default setting. If content is still being downloaded, check that the sender is not in the list. 

Hi Gary! Does that setting prevent code hidden in the body of the email itself from executing? I still still the default behaviour could avoid all this :wink:

As far as I know it does. I did some testing a few years back, and the firewall did not log any activity so I was satisfied.

Only one problem I found was that if you reply to or forward a message that has blocked content, this setting will not apply.

@Gary Curtin - I have that option set and yet, the email still called out to a malware site which triggered my malware blocker. 

So obviously it’s an issue.  And no, I ddn’t have the sender in the white-list.  No I didn’t have it set to ‘always download content’ - Any of that.

The fact that the program allowed a spam email to call out a malware site it’s pretty scary.

Did the malware blocker detect the link in the message, or did it detect a connection to the site? 

It actually blocked it.   Here are the details of the block

And I have ‘Block Unsafe Content’ set in emClient.  I don’t have this host setup as a whitelist.

The way emClient is allowing this to happen, if your malware/antivirus/firewall isn’t catching it, then they can set it up so it reports back showing it’s a valid email address, etc.

Give us an option to block all outgoing connections from a Spam email or at least give us a pop up that says ‘email is trying to connect to… allow it?  Yes/No’  

I wish I would have kept the email.  I freaked out because the malware trigger.  After I deleted it I was like, damn it… should have kept it to send in for analyzing.  I have been cautious since then and when I see I have any spam emails I don’t click on the folder in eM.  I just go straight to gmail since gmail doesn’t trigger the message when clicking on the folder.

I’ll keep an eye out going forward though.

Hi Scott,

Thank you for reporting it. If the option “display unsafe content” is disabled, then it shouldn’t be possible that downloading on an email body would enable “connection” to the external address. If it happens again, send me please the .eml to [email protected] and we’ll further investigate it.

Russel

Is it not possible to change the default behaviour to NOT give that window and/or email focus?

The default behavior is to block unsafe content even when the message is in focus. 

Or so it would seem. When I tested this function, I did not find any exception like what Scott mentions. It is difficult to say what happened with him unless some sample can be provided for eM Client to test.

Yes … but not giving focus to the message (any message) would give users the chance to empty the junk folder without viewing *any* messages - regardless of the subsequent behaviour. Or are we at cross purposes here?

So the difficulty here is the message preview. Clicking on the message in the message list, is going to display something in the preview pane. That might or might not include remote content depending on your settings. But you can turn that off.

The question then is, if that pane is not visible, will it have the same affect, i.e. retrieving content? Or will you be able to scan the message list of your Junk for those odd hams without the chance of unexpected connects to the Internet.

My testing says it is safe either way. 

It does require some testing by eM Client, but for them to do that, they need a sample that ignores the privacy settings. Maybe Scott will get another. :wink:

Ideally, it would be great that if we click a folder (ie spam) it doesn’t highlight the first email (which then opens the emails).  This way we can look at the emails in the spam folder and not actually have email even open.

This is the way that gmail functions.   This way we can still have the message pane functionality but not trigger the email.

Gmail functionality - folder is clicked, no email is open 

eMClient functionality - folder is clicked, first email is automatically opened


The scary part is if malware/firewall/antivirus doesn’t catch it, I don’t know 100% if it has code in the email.

I removed the filter for lmbcustomers, so lets hope they send me another spam email (I can’t believe I’m hoping for spam email  lol)

GMail does not have a message preview pane open until you click on the message in the list, and then the list disappears leaving only the message preview. eM Client went with a different implementation.

It’s been a while since I’ve used Thunderbird, but I don’t remember this automatic focus-grabbing happening.

As to disabling the message preview panel … it appears to be a *global* function. Any chance of making it configurable on a per-folder basis (ie. manually disable on any Spam folders)? Wouldn’t that solve the problem ?>.

Or … another idea … use a hotkey to show/hide the preview panel. Is there already one, by any chance, that I’ve missed?