Emails Contacting Websites

eM Client is allowing spam email to call home.
I have just installed Malwarebytes and it is reporting a mass of emails are calling websites which it is blocking. Surely eM Client shouldn’t be allowing this to happen?

You could try blocking unsafe content in settings.

I have that selected which is why this worries me. I use Outlook as well and there are never any references to that in Malwarebytes.

I have recently discovered that when you reply to or forward a message that has blocked content, the privacy settings no longer apply and all external content is loaded. So be careful that you don’t accidentally click one of those options.

I too have had issue with “MailClient.exe” connecting to remote adware sites.  Over the last two days, since installing this client to try out, Malwarebytes has blocked MailClient.exe from connecting to four different hosts flagged for toxic adware.  This happened immediately after receiving spam related to that site.  

This is not a misconfigured privacy setting or reply issue.  This is the mail client attempting to connect out when receiving an email and being caught in the act. 

This strange behavior really makes me reluctant to continue using this particular client let alone put any money into it.  

This may be caused by linked content in your incoming mail. Check your privacy settings in Menu > Tools > Settings > Mail > Privacy.

If you choose the first option to block unsafe content, then eM Client will not connect to any remote sites unless you have whitelisted the sender. So if that is still happening clear the sender whitelist, then try again and see what happens.

Unfortunately this is not the case.  As I mentioned above, privacy settings are set to not download anything.  However, the moment an email is viewed, even though images are not downloaded, MailClient.exe DOES call out. 

I installed TinyWall, an extremely simple firewall management utility, and used it to essentially snoop on Mailclient.exe.  I can easily duplicate this issue every time.  If the email is ‘moved’ from an imap account to a local folder and/or viewed in the viewing pane, regardless of privacy settings, Mailclient.exe will attempt to connect to the URLs in the message.  EVERY STINKING TIME.  I can provide screenshots and examples if desired.  Or even better…

Feel free to duplicate my findings yourself.  Install TinyWall (it’s free, and works in tandem with the Windows firewall).  Install EM Client version 7.2.34062.0.  Configure TinyWall to allow only connections to your preferred mail server (so emclient can download your email) and block everything else.  Launch EM Client and wait for an email with HTML in its body.  Open in view pane.  Note no images or other content downloaded and the ‘Download pictures/always download pictures’ links at the top of the body box.  Refresh the ‘blocked connections’ list in TinyWall.  Discover multiple outbound attempts to connect to, it appears, EVERY embedded URL in the message body (both port 80 and 443 depending on if the email body contains http and/or https).  

Let me repeat, in case this wasn’t clear.  Privacy is set to full.  Using a third party firewall, TinyWall (not just Malwarebytes catching connections flagged as adware/virus which is what clued me in the first place) I can duplicate this issue for every URL laden email I receive.  View the email in the view pane, TinyWall stops (and logs) Mailclient attempting to connect to, it appears, ALL of the URLs encoded in the email regardless if it downloads images or “unsafe” content. 

This may be a serious breach of privacy.  Anyone without a firewall blocking Mailclient.exe from connecting out is potentially letting spammers know their spam is reaching a warm body.  

I intend to install Wireshark later and capture what this client is doing,  This was just a quick and dirty ‘it’s up to something I want stopped’ that at least partially validated my concerns.  

If Wireshark reveals Mailclient.exe IS grabbing specific URLs, that it’s performing an actual HTTP transaction of any kind even when supposedly configured not to, then it absolutely has violated the privacy of every spam recipient currently using it. Including myself.  If my concerns pan out then, in the roughly 48 hour window I used this client before I took measures to protect myself, EM Client informed at least 20-30 spammers various email addressed of mine are still monitored. 

Which would make me very angry if true. 

It’s bad enough to catch spam at addresses used to sign up to tech sites and so forth someone scraped off the internet years ago, but to validate those addresses are live is like swimming shark infested waters and tossing a bucket of blood in with your body. 

If it was legal to hunt down and shoot spammers, even if they could shoot back, I’d be out in the field right now armed for bear.

I’m sorry, I forgot to mention this was with a completely empty white-list.

I am not able to reproduce this. If you have a Pro License I suggest you open a support ticket with eM Client.

Update in this issue.

Installed Wireshark and captured some examples of this behavior.  Several observations:

The mailclient.exe application would only attempt to connect to a limited set of specific IP addresses.  I couldn’t determine if there was a particular pattern to the addresses.  Some spam would initiate a connect out, some wouldn’t.  Those that DID, if any other spam with the same URLs, or rather, with URLs that resolved to the same destination IP, would also initiate a connect out.  This only happened if the email was unread, and sometimes when a message was moved from an imap account to a local folder.  Setting the email back to unread, then re-reading the message, did NOT result in additional connect attempts.  This is especially suspicious in my opinion.

As far as the specifics of what was captured:  When this connect out occurred mailclient.exe would initiate multiple connections (multi-threading for performance reasons most likely) simultaneously.  In almost every case the client would perform the following HTTP GET requests:

GET /
GET /apple-touch-icon.png
GET /apple-touch-icon-precomposed.png
GET /favicon.ico

Due to timing these would occur in no particular order, I list them here quasi-alphabetically for convenience sake. 

The data doesn’t appear, as best I can tell, to expose any personally identifiable information.  BUT, that’s assuming the spam doesn’t use a per-recipient encoded host in the URL.  Ie, register the domain ‘emclientspamcatch.org’ set up wildcard DNS, then spam email with URLs that include a unique key as part of the hostname.  This would easily identify the recipient and compromise their privacy.

I’m 50/50 this is malicious on the part of the people that made this client.  I suppose it’s possible there’s Apple specific code in their code base that is, under certain circumstances, causing the client to reach out even when it’s not supposed to.  In any case: 

Please be advised if you use this client you are at risk of exposing yourself to people who would almost certainly take advantage of the situation.  

This needs addressing immediately, yet there doesn’t appear, as best I can find, any way to bring it directly to the attention of the people that make this software.  

For those skeptical, here is a wireshark capture of one email ‘viewed’ using EM Client.  This was with no other application running at the time other than Windows itself, wireshark of course, and sundry system-tray related applications (including TinyWall which was set to ‘allow all’ mode, and Malwarebytes which did not consider this activity malicious).  You will need Wireshark, or a pcap library driven application, to deconstruct the data (tcpdump for example can do this for those familiar with Linux).

I find it a bit frustrating that being a ‘free’ customer there’s no ‘your stuff is broke’ contact available and suspect the people that maintain this software only rarely check in with these forums.  The fact that the other posts regarding this particular issue received no official attention nor (apparently) a stealth fix suggests either it IS deliberate, the programmers are incompetent, or they simply don’t care.  Which boggles the mind, because if I can figure this out without actually reverse engineering the software, if actual harm occurs to someone using this product due to their identity being compromised it would be relatively simple for a digital forensic specialist to reverse engineer the application and figure out why it’s doing this.  Whether it’s deliberate or incompetence someone would (likely, IANAL) be on the hook for damages.  This specialist might find code in libcef.dll responsible for this issue and have some pretty hard questions for the people responsible.

Screen shot of TinyWall blocking Mailclient when I viewed a spam email here.  Unfortunately I don’t remember specifically which message this was or I’d include its content, or at least a sample URL.  I’ll collect more of these tomorrow if there is any interest.

I am the OP of this problem. To be fair to eM Client after I posted the issue I did get an email from Juraj Micek asking if he could do a TeamViewer session but I didn’t follow it up.
I am glad somebody else has seen the problem though, sometimes when you see this sort of thing and nobody else does you cn think you re going mad!
Perhaps eM Client will follow up now?

Hi Jeff, Justin,

Thank you for posting this. We’ll investigate the issue and let you know what we find out. If you have additional information regarding it, please contact me directly at: markosky@emclient.com.

Russel

You can try disabling downloading avatars from external resources in Settings -> Contacts. 

This appears to be the issue.  Disabling the download avatars option stops MailClient.exe from calling out to the spam site URLs embedded in email.  I’ve tested roughly 100 messages, albeit with probably only 20 or so unique URLs in their bodies.  ~50 with download avatars off, no call outs, ~50 with it on, call outs.  I captured a few transactions and it’s the same requests for apple icons and etc. 

I have had no success in figuring out what specifically in the email is triggering the call-out.  There doesn’t appear to be any avatar or icon specific tag embedded in the email that might generate connect attempts.  But I can’t say for certain that EM Client is representing the complete, raw message, as delivered to my email server when viewing the message source.

So it seems there may be a disconnect between the idea of protecting identity by preventing downloads of embedded images versus doing essentially the exact same thing for ‘avatars.’  This is a pretty big mistake.  One that anyone with ill intent could abuse.  Based upon the few posts on the forums (of which this thread is one) it seems this has been an issue with the client for some time which increases the odds it’s already being exploited. 

Digging around the EM Client documentation/web site the only reference I’ve been able to find regarding avatars is specific to ‘Gravatar.’  As I mentioned above I did not find anything that resembled a Gravatar formatted link.  However, if EMClient supports this specification and attempts to retrieve ‘avatar’ images encoded with a email specific hash a spammer could easily craft recipient distinct avatar URLs.  Such links would effectively tag spam to ‘call home’ when viewed by an EM Client user regardless if they’ve chosen to “block unsafe content.”  Furthermore, even if not exploiting a ‘HASH’ based URL a spammer could still leverage the hypothetical wildcard DNS method I mentioned above.

I suggest anyone concerned verify these findings.  In particular the developers.  Once verified please let the rest of us know so I will stop feeling like I’m reaching into a bear trap every time I use this client to read my email.  It might be a good idea to bind the whole ‘download anything from anywhere other than my mail server’ to that privacy setting.  Whoever thought avatars, icons, or whatever, would be safe to retrieve when an embedded image would not be might want to reconsider, because that’s absolutely ridiculous.  Thanks.

The avatar concept is really nice if you want the pretty interface at full strength, but it will connect to places like the domain server, Gravatar or Google+ and retrieve an image. Best solution is to just disable that and stick with monograms or silhouettes.

There are also situations where the privacy settings are ignored. For example, if you have completely blocked linked content, but you reply to or forward a message that has blocked linked content. In that case the application will load the remote content for the new message. There is no way to disable that.

First: i never had any issues with eM Client, so I never suspected any security issues nor do I have the IT knowledge to look for them.
So for me it is a matter of trust. I must confess that trust just got a heavy blow with this thread. To me avatars are just a gimmik, not a feature. If they cause security issues, they should be eliminated by default. Unsuspecting, non-nerdy users should not be left with the decision to switch them off. Instead there could be a way to switch them on, accompanied by a severe “health warning”.
Maybe I am paranoid, but as the saying goes, “also paranoids have enemies.”
I have sent eM Client on vacation until there is action by eM Client inc. In the meantime I have to make do with Outlook again.

I absolutely agree. The security settings should be at maximum by default, then the user can change them according to their needs. I think that eM Client have some default settings like this so that the new “non-nerdy” user can get the full impact of the application, but without a warning it is dangerous.

I see that as I found several version ago, that the Em Client updates introduce as many issues as they purport to resolve. I am using version 7.0.2882.0. It does not have a setting in contacts for avitars. I use this version which is still buggy as heck when it comes to calendar and contact updating, because the 7.1 version stopping working for me completely for calendars and contacts. 

Your safest bet I think would be to fall back to this version although the databases are different so you’ll have to re-download all of your email from the email server (happens automatically anyway assuming you are not using pop 3).  This will remove the “feature” completely.

I wish the management at Em Client would direct the developers to fix the known issues first before trying to develop more “features”.

The policy over at eM Client is to concentrate on security and bugs before introducing new features. This settings option for avatars is a security option so that users can disable loading external content, but it could be disabled by default as it is not immediately obvious what is being done.

My advice, and I am sure that eM Client Inc. would agree, is that your safest bet is to always use the latest release version.