Re: [trojita] Re: Help for new user

Sat, 15 Jun 2013 01:06:19 -0700 

On Sat, 15 Jun 2013, Thomas Lübking wrote:


Am Samstag, 15. Juni 2013 schrieb David Lang

Just to avoid misunderstandings:
this is not about blocking image attachments (that's not a MUAs job at

all) or rendering attached images inline with textmails, but fetching and
rendering images with html mails that are *not* attached to the mail but
reside on foreign domains.

An image attached to the mail resides at your MSP - it's too late, they

already know you fetched the mail ;-)


Ok, I was misunderstanding the problem.


Ok?
So if you actually "just" want to autofetch and render image attachments
(do you?) with text- or html mails, that bears no threat and the reasonable
setting here would be a size threshold (so you won't wait an hour on a
roaming connection while downloading an 100M image) and oc. not for mails
tagged as spam at all - it's however not what I (nor I think Jan) took the
OPs request to be.

About the tool: my knowledge regarding html mails is pretty much limited to
"avoid them", but i wonder whether searching the body for resp. img tags
would do.



hey, I'm running pine here, images are something I save to open in a different 
tool most of the time :-) however, at $work it's hard to stick to that and I end 
up having to use OWA fairly frequently to deal with HTML messages.



There are image attachements that are not referred to at all in the message and 
require explicit opening.



There are image attachments that are referred to in the message. There should be 
a configuration option to enable opening these by default. These aren't all safe 
(there have been too many exploits of the tools to display the images).



The only way that remotely hosted files are more dangerous is the privacy issue 
that the attacker can tell that you accessed something.



But I don't see this as a horrible risk, it's just too easy to get users to 
click on something for me to say that it's a good idea to not have an option 
that allows such messages to be opened. not enabling it by default is good, but 
having an option to enable it is also good.



It's been a few months since I last tried to run trojita, but now that it's 
possible to do navigation through messages without them getting opened by the 
preview pane, I'll take another look and see exactly how it's behaving now.


David Lang

























					Reply via email to