MailClient.exe surreptitiously connecting to adware support sites

Software firewall has caught ‘mailclient.exe’ attempting to connect to adware support sites multiple times since installation.  This in spite of having full privacy settings.  This has happened twice so far, once a day for the last two days.  In both cases the email were crafted almost identically.  Each time, immediately after the email was retrieved from the mail server, a rule applied to move it from imap to a local spam folder, Mailclient.exe made two connection attempts to the specific hosts referenced in the email body.  In both cases the remote IP was identical to the one referenced in the mail body.

This is EXTREMELY disturbing and makes me wonder how many spammers now know my email accounts work, or worse Mailclient has shared something with these remote locations unbeknownst to me, because my firewall didn’t flag a particular attempt.

Assuming someone related to the development of this application reads this post I would really appreciate an explanation if at all possible.  I like the client, but it’s not worth the risk if this software is reaching out to places it shouldn’t even when told not to.

Update in this issue.

Installed Wireshark and captured some examples of this behavior.  Several observations:

The mailclient.exe application would only attempt to connect to a limited set of specific IP addresses.  I couldn’t determine if there was a particular pattern to the addresses.  Some spam would initiate a connect out, some wouldn’t.  Those that DID, if any other spam with the same URLs, or rather, with URLs that resolved to the same destination IP, would also initiate a connect out.  This only happened if the email was unread, and sometimes when a message was moved from an imap account to a local folder.  Setting the email back to unread, then re-reading the message, did NOT result in additional connect attempts.  This is especially suspicious in my opinion.

As far as the specifics of what was captured:  When this connect out occurred mailclient.exe would initiate multiple connections (multi-threading for performance reasons most likely) simultaneously.  In almost every case the client would perform the following HTTP GET requests:

GET /
GET /apple-touch-icon.png
GET /apple-touch-icon-precomposed.png
GET /favicon.ico

Due to timing these would occur in no particular order, I list them here quasi-alphabetically for convenience sake.  

The data doesn’t appear, as best I can tell, to expose any personally identifiable information.  BUT, that’s assuming the spam doesn’t use a per-recipient encoded host in the URL.  Ie, register the domain ‘emclientspamcatch.org’ set up wildcard DNS, then spam email with URLs that include a unique key as part of the hostname.  This would easily identify the recipient and compromise their privacy.

I’m 50/50 this is malicious on the part of the people that made this client.  I suppose it’s possible there’s Apple specific code in their code base that is, under certain circumstances, causing the client to reach out even when it’s not supposed to.  In any case:  

Please be advised if you use this client you are at risk of exposing yourself to people who would almost certainly take advantage of the situation.  

This needs addressing immediately, yet there doesn’t appear, as best I can find, any way to bring it directly to the attention of the people that make this software.  

For those skeptical, here is a wireshark capture of one email ‘viewed’ using EM Client.  This was with no other application running at the time other than Windows itself, wireshark of course, and sundry system-tray related applications (including TinyWall which was set to ‘allow all’ mode, and Malwarebytes which did not consider this activity malicious).  You will need Wireshark, or a pcap library driven application, to deconstruct the data (tcpdump for example can do this for those familiar with Linux).

I find it a bit frustrating that being a ‘free’ customer there’s no ‘your stuff is broke’ contact available and suspect the people that maintain this software only rarely check in with these forums.  The fact that the other posts regarding this particular issue received no official attention nor (apparently) a stealth fix suggests either it IS deliberate, the programmers are incompetent, or they simply don’t care.  Which boggles the mind, because if I can figure this out without actually reverse engineering the software, if actual harm occurs to someone using this product due to their identity being compromised it would be relatively simple for a digital forensic specialist to reverse engineer the application and figure out why it’s doing this.  Whether it’s deliberate or incompetence someone would (likely, IANAL) be on the hook for damages.  This specialist might find code in libcef.dll responsible for this issue and have some pretty hard questions for the people responsible.

This is downloading the avatars for the sender. Disable avatars in Menu > Tools > Settings > Contacts > Avatars, and that should resolve your issue.

Yes, apologies, I forgot to update this thread.  This was opened before I understood ‘problems’ are essentially ignored.  For anyone concerned about this issue please see this thread for more info.

It’s not that problems are ignored, but sometimes other users do not have a solution.

For those with Pro Licenses, it is better to open a support ticket directly with eM Client. Issues like this one can then be passed to the developers who can make the necessary changes to ensure best possible security.

I have a Pro license fro 3 users. The support from the Pro side is equally ineffective. I have tried several times to get support but they take the quickest route to “this not our problem” as possible even though it clearly is.

I am very concerned about this potential security issue. You would think that there would be a direct mailbox to report potential security issues.

It has not been my experience, as a Pro License user, that eM Client Support is ineffective. While there have been a few users who have voiced their dissatisfaction on this forum, I am sure that the vast majority of Pro License users will agree with me when I say that I have always found Support to be ahead of expectations with their replying to and solving my issues. I am sorry that that is not your experience.

As a Pro License user, the support ticket system is the direct mailbox to report any issues. The staff will pass on your concerns to the developers if it is something that they cannot fix.

I can’t speak to the efficacy of pro support but I think most people would agree purchasing misbehaving software to open a support ticket about the problem is exceptionally counterintuitive.  When I tried contacting sales to bring this issue to an employee’s attention, since there’s NO OTHER WAY to do so without paying for the privilege, that’s exactly how they responded.  Buy the software then open a ticket.  Even though I pointed out in the email I wasn’t willing to do so.  No.  I was a little disappointed about that, that some sales guy was either as sharp as a bowling ball or simply did not care to acknowledge the contents of my email, but not surprised.  There is a support email address that I only just discovered, but since trying to get support without a pro license takes you to the forums I assume sending a message there an exercise in futility.

I’ll buy the software once EM client earns back my trust.  I would have already paid if Malwarebytes hadn’t flagged the application as adware within minutes of its installation.  It’s a good email client, in my humble opinion, that has features I want other clients lack.  And the price is reasonable even though I don’t really need the features licensing unlocks.  It just seems pretty dumb to pay for software that may be doing things behind the scenes (accidentally or not) that puts my identity and/or privacy at risk.

Until I see an official response indicating either I’m an idiot, they made a mistake, or at least an explanation, I’ll continue to run the client in a walled garden and carefully watch everything it does.  

I think that maybe Malwarebytes gave a false positive. From their own website, they describe adware as: “unwanted software designed to throw advertisements up on your screen”. eM Client has never included ads in either the Free or Pro versions.

Unfortunately as a Free License user, you agreed to their being no contact with eM Client Support. Small price to pay for an exceptional application that you can use for personal use only.

I don’t think that an official response is necessary or will be forthcoming as the option is already there to disable avatars downloading from the Internet.

I think Justin make a very valid point but I believe it goes further. Justin is reporting a potentially serious bug. This is not a typical bug about a feature not working or help on how a feature does work.

It is a potential serious security problem. It seems to me that Em Client would want to take this issue on and determine if this is in fact the case. Who would want to expose their customers to a potentially very serious problem? Does it matter who reported the issue?

As for Pro user support, I have yet to have them solve an issue. A couple of times they wanted me to give them copies of my email database. I wasn’t keen on this because they hire contractors from around the globe it seems. Who would give the entire email database to a unknown character?

Then there is my latest issue. I have posted on this public board and with Pro support.  (Internal server error 500 being caused by -it would seem - by malformed communications with the email server).

One message back from them saying to use a different email server even though I have given them  the steps to cause the error after hours and hours of my own debugging.  Now it’s crickets.  Some solution.

As I said: Disable avatars in Menu > Tools > Settings > Contacts > Avatars, and that should resolve the issue that Justin is having.

And how do you know that this will completely solve the problem or that this problem doesn’t exist elsewhere?

The point that Justin is making is that he would like someone on Em Client’s payroll to confirm that this is or is not an issue, there is a workaround and that it will be addressed or not in future releases.

Her is another guy that has spent hours debugging Em Client software without so much as a thank you for reporting a potentially serious error. In fact, he was told to buy the software so he could report the issue (only to have it ignored anyway from my experience).

This forum is for support provided by other users, not direct comments from eM Client Inc. If you want a direct response from the company, you need to purchase a Pro License and contact them via the VIP Support ticket system. That is all described in the agreement you accepted when registering for either license.

Maybe Justin can speak for himself. If he disables the settings as I have advised, I am sure that he will no longer have that issue. Only he can comment on that.

Well actually there have been many comments made here by various Em Client employees.

Sure I guess Justin can do more hours of debugging and try at some level to determine if the workaround actually works, or Em Client can take responsibility and debug their own product.

I would forward it for him but since I do not have the version of the Em Client with this problem it would be improper for me to do so.

Sure, employees do occasionally comment on this forum, but that is not guaranteed nor expected. The forum is meant primarily for users to assist users. This is all described in the license agreement.

I will say it again; just disable the selection as I have described, and the application will no longer access the internet for avatars. No debugging is necessary as the option has already been provided in the application settings to disable this access.

Gary, I do appreciate you going to bat for Em Client, don’t really understand it, but it is appreciated especially since you’ve contributed towards figuring out what’s going on.  But you’re, as far as I know, not an official spokesperson for their business. 

Since they are the only ones with the right to know what’s going on under the hood of their software (thank you Microsoft) an explanation isn’t an unreasonable expectation.  That they believe I should pay them for an explanation, when it’s possible once I get that explanation I’ll realize I purchased something I don’t want, is unreasonable. 

Of course, this is all a matter of personal opinion.  I can see your, and their, point of view. 

Here’s my point of view.  To respond, either here or via email, costs them a little time, very little.  Far less than I’ve invested into trying to figure out what their software was up too without violating DMCA. For them to look at their code and determine exactly why their software does what it’s doing even though the implication, based upon the verbiage in their privacy settings, is exactly the opposite, would take a little more time and effort.  But again far less than I’ve already put into this so far.  If I were getting paid to do this, which I have and occasionally still do, I’d charge far more than what they’re asking for a single user license.  But I’ve not demanded any money or any other form of restitution because I’m no idiot and don’t believe in demanding value for work I wasn’t asked to do.  All I’ve asked for are answers to questions which I’m confident anyone following along would agree are reasonable.  I could choose not to put any more time or effort into this, so this speaks loudest as to the quality of their software that I continue to pursue it, because I want to use their client.  I just want to know I can trust it.  That’s in question.  Until they respond in some fashion that’s not going to change.  Not for me.  I’ve done what I can to help them out, and I’ve extended my hand out multiple times because I know what it’s like to be on the other side of this scenario, yet no official explanation.  

So I wonder, why not?  Maybe the holidays?  Internal development is so convoluted they can’t get one of their coders on the phone and ask him to poke around?  Everyone on vacation?  Or maybe they’re hoping the entire thing will blow over as things like this often do.  Lose a single customer, no big deal.  Lose ten, still nothing major especially if half of them are freebies.  But if that’s indeed their stance, that’s absolutely the biggest black mark against them.  Which has become the crux of this situation.  It’s not just ‘can I trust their software’ it’s now ‘can I trust the company.’  Which is a far bigger issue than ‘when we added another feature we accidentally compromised security.’  Seriously, how difficult can it be to say something like ‘we made a mistake, sorry, here’s a updated client fixing the issue’ or even ‘working as intended, here’s an updated document explaining the issue and your options’ etc.  Honestly, they should hire you (Gary) to be a PR guy on their forums, assuming you’re not already operating as some form of shill.

Anyways, I’ve been bitten in the past by software I thought I could trust.  Multiple times actually.  Why else would I get so passionate about this?  Because it makes me very angry knowing there are people using this client right now ignorant of the fact that doing so risks their privacy.  You, and I, know, but they don’t.  The only people in the right position to fix this issue are the same people responsible.  Expecting them to act, and not demand me to pay them to do so, seems completely reasonable to me. 

But that’s just my opinion.

Amen.

@Randy Meyer
I only joined this forum to give you a full ACK!

I am not willling to test the emclient app before your answers about that behaviour of the piece of code has been resolved. So if no response  will come, i do not test and buy the client.

Thanks for your work.

greetings from switzerland
Jürg

As per the license agreement that you accepted by registering your license, you are not entitled to interaction directly with the company while using a Free License.

That being said, eM Client employees do monitor these forums, and occasionally will comment here. That is neither guaranteed not to be expected. I have written to one employee and asked for them to comment here, so that may yet happen. 

Hello all,

In the first place, thank you for reporting this.

As I informed in the original thread, we investigated this issue and came to the conclusion that contacting Gravatar on the background doesn’t possess any security threat. That’s why we keep this option “downloading avatars” ticked as a default setting. If you don’t wish eM Client to contact external sources, please disable the feature just as Gary informed in Menu > Tools > Settings > Contacts > Avatars.

However, we’ll reconsider the default settings while developing the new version and we’ll consider adding information about this background connection.

Russel