Jump to content



Photo

  • Please log in to reply
27 replies to this topic

#1 ichi

ichi

    Akihabara Style

  • 5,008 posts
  • Joined: 20-December 04

Posted 12 December 2013 - 22:00

You probably see that "Display images below" button in Gmail all the time on both mobile and desktop. This is the default behavior because it makes it harder for spammers and advertisers to track you. However, Google says it has prepared a workaround that mitigates the security concern and will allow it to show those images by default.

 

When you get an email containing images, the files are loaded from an external host server. Each time you download the images in an email, the sender (read: spammer) can use that to track you. They know firstly that you are a real person and not a broken inbox, but it can also give them an IP address. Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one. This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default.

 

Google is also going to be scanning for malicious content hidden in images at the same time. So consider this a double win. If you don't like awesome things, you can set Gmail to go back to the old behavior of hiding images by default.

 

Source: Android Police




#2 primexx

primexx

    Neowinian Senior

  • 12,803 posts
  • Joined: 24-April 05

Posted 12 December 2013 - 22:34

only works if they open all the images sent to non-existent addresses too



#3 +LimeMaster

LimeMaster

    LippyZillaD Council ( ͡° ͜ʖ ͡°)

  • 11,016 posts
  • Joined: 28-August 10
  • OS: Windows 8
  • Phone: Nokia Lumia 920

Posted 12 December 2013 - 22:37

They've already started doing it. Hopefully it works like they say it does



#4 0sit0

0sit0

    Live and let live

  • 4,336 posts
  • Joined: 24-October 01

Posted 12 December 2013 - 22:38

that means that tools such as Mailchimp are going to have a hard time getting the actual data. 



#5 AJerman

AJerman

    Boomer Sooner!

  • 5,512 posts
  • Joined: 24-July 02
  • Location: Raleigh, NC
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 12 December 2013 - 22:38

only works if they open all the images sent to non-existent addresses too

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.



#6 Raa

Raa

    Resident president

  • 12,978 posts
  • Joined: 03-April 02
  • Location: NSW, Australia

Posted 12 December 2013 - 22:46

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...



#7 primexx

primexx

    Neowinian Senior

  • 12,803 posts
  • Joined: 24-April 05

Posted 12 December 2013 - 22:57

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...

 

yea, it'll temporarily increase the spam for everybody until the spammers catch on

 

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.

 

they don't have to save anything, just download it directly to dev/null for all they care. but i still doubt they'd waste the bandwidth on that



#8 +techbeck

techbeck

    It's not that I am lazy, it's that I just don't care

  • 19,630 posts
  • Joined: 20-January 05

Posted 12 December 2013 - 23:10

Not sure how I feel about this. No malware scanner is fool proof. At least there is an option to disable this.

#9 Shadrack

Shadrack

    Neowinian Senior

  • 15,335 posts
  • Joined: 20-December 01

Posted 12 December 2013 - 23:16

Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?



#10 OP ichi

ichi

    Akihabara Style

  • 5,008 posts
  • Joined: 20-December 04

Posted 12 December 2013 - 23:44

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.



#11 primexx

primexx

    Neowinian Senior

  • 12,803 posts
  • Joined: 24-April 05

Posted 13 December 2013 - 01:07

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.

 

so the spammer just makes the TTL 1 second?



#12 Torolol

Torolol

  • 3,155 posts
  • Joined: 24-November 12

Posted 13 December 2013 - 01:25

This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default

er, no.

Doing so only makes the spammer got the wrong IP-addresses,
but they still able to figure out if that inbox was still useable,
be the inbox are actively used or suffering a long inactivity,
which is depend on how the proxies retrieves the image from original spammer host
are they retrieved when user open their inbox? or when the gmail receives the spam?.

I have seen spammers using long-unique-hash in the image url, which then they could links which hashes was sent to which inboxes,
and which images/hashes was requested for download.

#13 hyde+

hyde+

    High Definition

  • 494 posts
  • Joined: 28-September 07
  • Location: New York

Posted 13 December 2013 - 01:29

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

#14 Growled

Growled

    Neowinian Senior

  • 41,508 posts
  • Joined: 17-December 08
  • Location: USA

Posted 13 December 2013 - 03:29

If you don't like awesome things, you can set Gmail to go back to the old behavior of hiding images by default.

 

Which I will be doing pronto.



#15 OP ichi

ichi

    Akihabara Style

  • 5,008 posts
  • Joined: 20-December 04

Posted 13 December 2013 - 06:45

so the spammer just makes the TTL 1 second?


If the point was hidding the client's access to images they could just not honor that TTL, although Gmail's blog seems to point that that might be a potential side effect rather than an actual feature.

What the are talking about is hiding user data (IP, user agent, geolocation), avoiding tracking (no way to set cookies on the user's browser) and making images safer (images are analyzed for known exploits and transcoded before sending them to the user).