Update in this issue.
Installed Wireshark and captured some examples of this behavior. Several observations:
The mailclient.exe application would only attempt to connect to a limited set of specific IP addresses. I couldn’t determine if there was a particular pattern to the addresses. Some spam would initiate a connect out, some wouldn’t. Those that DID, if any other spam with the same URLs, or rather, with URLs that resolved to the same destination IP, would also initiate a connect out. This only happened if the email was unread, and sometimes when a message was moved from an imap account to a local folder. Setting the email back to unread, then re-reading the message, did NOT result in additional connect attempts. This is especially suspicious in my opinion.
As far as the specifics of what was captured: When this connect out occurred mailclient.exe would initiate multiple connections (multi-threading for performance reasons most likely) simultaneously. In almost every case the client would perform the following HTTP GET requests:
Due to timing these would occur in no particular order, I list them here quasi-alphabetically for convenience sake.
The data doesn’t appear, as best I can tell, to expose any personally identifiable information. BUT, that’s assuming the spam doesn’t use a per-recipient encoded host in the URL. Ie, register the domain ‘emclientspamcatch.org’ set up wildcard DNS, then spam email with URLs that include a unique key as part of the hostname. This would easily identify the recipient and compromise their privacy.
I’m 50/50 this is malicious on the part of the people that made this client. I suppose it’s possible there’s Apple specific code in their code base that is, under certain circumstances, causing the client to reach out even when it’s not supposed to. In any case:
Please be advised if you use this client you are at risk of exposing yourself to people who would almost certainly take advantage of the situation.
This needs addressing immediately, yet there doesn’t appear, as best I can find, any way to bring it directly to the attention of the people that make this software.
For those skeptical, here is a wireshark capture of one email ‘viewed’ using EM Client. This was with no other application running at the time other than Windows itself, wireshark of course, and sundry system-tray related applications (including TinyWall which was set to ‘allow all’ mode, and Malwarebytes which did not consider this activity malicious). You will need Wireshark, or a pcap library driven application, to deconstruct the data (tcpdump for example can do this for those familiar with Linux).
I find it a bit frustrating that being a ‘free’ customer there’s no ‘your stuff is broke’ contact available and suspect the people that maintain this software only rarely check in with these forums. The fact that the other posts regarding this particular issue received no official attention nor (apparently) a stealth fix suggests either it IS deliberate, the programmers are incompetent, or they simply don’t care. Which boggles the mind, because if I can figure this out without actually reverse engineering the software, if actual harm occurs to someone using this product due to their identity being compromised it would be relatively simple for a digital forensic specialist to reverse engineer the application and figure out why it’s doing this. Whether it’s deliberate or incompetence someone would (likely, IANAL) be on the hook for damages. This specialist might find code in libcef.dll responsible for this issue and have some pretty hard questions for the people responsible.