Why would someone want to block images in email?

Several reasons:

  • The more content in the email that the client loads and interprets, the greater the possibility that the email will deliver a malicious payload. The relatively recent vulnerability in JPEG 2000 rendering code comes to mind -- merely displaying a malicious image could be dangerous.

  • Images in email are commonly used by spammers and marketers to determine whether or not you've opened an email. This implicitly also tells them whether the email was delivered successfully and whether the destination email address was valid (useful for spammers).

  • Depending on your mail platform, image downloads may tell the sender the user's IP address.

  • Image URLs can theoretically be used to attack a network from the inside. For example:

<img src="http://192.168.0.1/apply.pl?user=admin&password=admin&action=EnableRemoteLogin">

Hopefully an attack like the above would fail, but security folks prefer to limit exposure as much as possible.


I think there's two separate security risks that need to be addressed here:

Images which are actually in the e-mail. As some have touched on, there is inherently a direct correlation between the amount of content you allow your e-mail client to load and the attack surface of your computer while loading that e-mail. If you allow your system to load attachments automatically, it's much more likely that you may come across a malicious file that will compromise your computer.

Hot-links to remote content. This is most commonly what is being blocked when your e-mail client says something to the effect of "Click here to download pictures...". Once downloaded, these images may appear to be "in" the e-mail. But they are actually hosted on remote webservers. There's a few reasons you'd want to block these from automatically loading.

  1. Obviously, your first concern is that the e-mail is a scam and the remote content is from a hostile source. Then, we're back to similar risks as with images which are actually in the e-mail.

  2. As others have mentioned, this is something of a privacy compromise. Once your system contacts the webserver to download the remote content, a few things can be revealed to the host of that content:

    • Your e-mail address. (And, it can be inferred that the address is valid and that the mailbox is checked somewhat regularly.)
    • Your IP address.
    • Your e-mail client name and version.

    It's also worth noting that the information available via knowledge of your IP address, and association of that with your e-mail address, could include:

    • Your general geographical location.
    • The name of your employer and/or your ISP.

    Though some e-mail addresses inherently leak employer/ISP/location information, IP addresses can leak this information regardless of what is or isn't in your e-mail address.

    All of the above bits of information could facilitate future exploitation of your system, or phishing attempts against you personally.

  3. Another possibility to be aware of is that the remote webserver, while possibly being perfectly friendly on its face, could be compromised sometime between the e-mail being sent and you reading it. An attacker could then replace the remote content (which would otherwise be from a source you know and trust) with some of their own, which brings us again back to point number 1.

  4. Malicious links to active remote content, as opposed to just static images, could do even more damage to your system. As @tylerl mentioned, an image tag may actually point to a malicious script or other content which could harm your computer or perform unwanted actions on your behalf. By restricting remote content from loading entirely, this is avoided.


Because retrieving the image from the server can reveal your IP address, which is considered a privacy issue. (The image can come from somewhere other than where the email originated, for instance.) It also validates your existence to spammers; they can tell the email has been opened when the embedded image is retrieved, and can pass identifiers back with it to tell which recipient opened it.)

Tags:

Email

Related

How secure is asking for specific characters of passwords instead of the entire thing? What ciphers should I use in my web server after I configure my SSL certificate? Benefits and drawbacks of giving an Administrator two accounts for elevated rights and another for daily use, such as email How to properly encrypt a communication channel between a client and a server (without SSL)? Criteria for Evaluating Static Analysis Tools Asymmetric vs Symmetric Encryption Best practices for physically securing a notebook Is making a clean install enough to remove potential malware? Does the Mebromi BIOS flashing rootkit mean APTs for personal computers are here? What to do about websites that store plain text passwords Carrying out a professional IT audit procedure Getting rid of a large quantity of paper

Recent Posts