Why are pictures in my HTML e-mails replaced with ugly warning signs?
"This image has been removed for security reasons."
There are two kinds of images that come with your HTML e-mail: the ones that come attached with the e-mail itself, and others that link to remote sites. Images that are linked to remote sites are considered "unsafe" for the following reasons:
- Spammers can abuse this to validate your e-mail address
- The sender can know instantly if you have read their e-mail or not (privacy concern)
- Finding out information about your browser, operating system, and your mailserver (security concern).
Let's look at these issues in more detail:
Validating your e-mail address
Spammers can (and do) include specially-crafted image tags that include a "web bug" (usually a 1 pixel transparant image) used to validate that your e-mail address is a live one and that you actually read e-mail sent to this address. When such image is loaded, a request is sent to the spammer's server and it notes in its database of e-mail addresses that you have, in fact, received and read the spam e-mail they sent. Such addresses are re-sold to other spammers and the amount of spam you will receive is going to grow exponentially.
Verifying that you have read your e-mail
This issue is a privacy concern - if there are images in the e-mail that link to the sender's website, they will know instantly when you have opened and read the e-mail they sent. This can be used against you if for some reason you decide to deny ever receiving that e-mail from the sender - they will have proof that you have received, opened, and read that e-mail.
Finding out information about you
Every time an image is loaded off the remote server, it leaves a "log" message about what type of system you are using, including the version of your browser, your internet IP address, as well as information about your mail server and the software running on it. This information can be used to carry out attacks on your computer or the server where SquirrelMail runs.
Images in email can also be used to auto-execute cross-site scripting code in a attempt to trick your browser into revealing your account information to crackers with malicious intent.
For these reasons SquirrelMail does not display these "unsafe" images by default, but instead shows you a warning sign. If you know that the e-mail came from a trustworthy source, you can use the [Unsafe Image Rules plugin] to view images from that particular source.