Jump to content

28 posts in this topic

Posted

You probably see that "Display images below" button in Gmail all the time on both mobile and desktop. This is the default behavior because it makes it harder for spammers and advertisers to track you. However, Google says it has prepared a workaround that mitigates the security concern and will allow it to show those images by default.

 

When you get an email containing images, the files are loaded from an external host server. Each time you download the images in an email, the sender (read: spammer) can use that to track you. They know firstly that you are a real person and not a broken inbox, but it can also give them an IP address. Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one. This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default.

 

Google is also going to be scanning for malicious content hidden in images at the same time. So consider this a double win. If you don't like awesome things, you can set Gmail to go back to the old behavior of hiding images by default.

 

Source: Android Police

Share this post


Link to post
Share on other sites

Posted

only works if they open all the images sent to non-existent addresses too

Share this post


Link to post
Share on other sites

Posted

They've already started doing it. Hopefully it works like they say it does

Share this post


Link to post
Share on other sites

Posted

that means that tools such as Mailchimp are going to have a hard time getting the actual data. 

Share this post


Link to post
Share on other sites

Posted

only works if they open all the images sent to non-existent addresses too

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.

Share this post


Link to post
Share on other sites

Posted

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...

Share this post


Link to post
Share on other sites

Posted

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

I don't mind the idea - but I'm not confident it will "solve" a problem...

 

yea, it'll temporarily increase the spam for everybody until the spammers catch on

 

Yeah, it wouldn't necessarily stop them from verifying you're a valid inbox if the image links are unique per email and Google opens them for you elsewhere, they were still opened showing you viewed the email, but at least you wouldn't be directly connecting to their server to get the images and exposing your IP to them. This seems like it'd only help half the issue unless you're right and they go ahead and cache all images even ones that weren't opened, which I can't see them doing.

 

they don't have to save anything, just download it directly to dev/null for all they care. but i still doubt they'd waste the bandwidth on that

Share this post


Link to post
Share on other sites

Posted

Not sure how I feel about this. No malware scanner is fool proof. At least there is an option to disable this.
1 person likes this

Share this post


Link to post
Share on other sites

Posted

Google is circumventing this by opening each image in the email, then serving it to you from its proxy servers instead of an external one.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?

Share this post


Link to post
Share on other sites

Posted

But doesn't that tell spammers that ALL email addresses they're sending to are valid, and promote more spam?

 

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

Nice!  So is this only when viewing on the website, or will Google replace images received via IMAP (or w/e) with links to their proxy server?

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

According this article, no: Google caches the image the first time it's opened and serves it from the proxy for every subsequent image request until the TTL expires.

Senders would only get a request for one single image ID for the duration of the TTL.

 

 

I guess it'll work for every image that's not attached but linked. If they are modifying the body of the mail in their servers to replace the links I don't think it would matter how you get to read them, web, IMAP or whatever.

 

*edit: I'll have to take that back: apparently the link replacement happens at render time on Gmail's web and mobile apps. The actual mail is not modified so you'd still go straight to the original image if you were getting your mail through IMAP.

At least that's how it seems to be working as of now.

 

so the spammer just makes the TTL 1 second?

Share this post


Link to post
Share on other sites

Posted

This instantly renders image loading data useless to spammers, and makes it safe to show you all your email pics by default

er, no.

Doing so only makes the spammer got the wrong IP-addresses,
but they still able to figure out if that inbox was still useable,
be the inbox are actively used or suffering a long inactivity,
which is depend on how the proxies retrieves the image from original spammer host
are they retrieved when user open their inbox? or when the gmail receives the spam?.

I have seen spammers using long-unique-hash in the image url, which then they could links which hashes was sent to which inboxes,
and which images/hashes was requested for download.
2 people like this

Share this post


Link to post
Share on other sites

Posted

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

Share this post


Link to post
Share on other sites

Posted

If you don't like awesome things, you can set Gmail to go back to the old behavior of hiding images by default.

 

Which I will be doing pronto.

Share this post


Link to post
Share on other sites

Posted

so the spammer just makes the TTL 1 second?


If the point was hidding the client's access to images they could just not honor that TTL, although Gmail's blog seems to point that that might be a potential side effect rather than an actual feature.

What the are talking about is hiding user data (IP, user agent, geolocation), avoiding tracking (no way to set cookies on the user's browser) and making images safer (images are analyzed for known exploits and transcoded before sending them to the user).

Share this post


Link to post
Share on other sites

Posted

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

 
So I'm guessing you don't know what this is.
2 people like this

Share this post


Link to post
Share on other sites

Posted

So I'm guessing you don't know what this is.


I don't know what this is, either.

Share this post


Link to post
Share on other sites

Posted

On the face of it this sounds really good, but I think it will only affect legitimate email campaigns in the long run. Spammers will be unaffected at best and, depending on how it works, could even use it to identify registered Gmail addresses en-masse.

The cynic in me wonders how long it is before Google start selling "email analytics" to those who run email campaigns.

Share this post


Link to post
Share on other sites

Posted

only works if they open all the images sent to non-existent addresses too

 

They wouldn't have to open all of them, just some of them at random.

Share this post


Link to post
Share on other sites

Posted

Time to go back to Hotmail or even better, pay for hosted exchange.

Google and its nosy tech Nazi approach of "I know what's best for you"

 

Yea, to bad you cannot disable this option....no, wait.....

Share this post


Link to post
Share on other sites

Posted

Google's proxy servers request the image each time you open a message which means that spammers will know that your email address is active if they embed unique images in emails. 

 

From Google's support page:

 

 

...senders may be able to know whether an individual has opened a message with unique image links.

 

If anything, this will lead to more spam.

Share this post


Link to post
Share on other sites

Posted

If anything, this will lead to more spam.

 

Only if you actually read your spam, though.

2 people like this

Share this post


Link to post
Share on other sites

Posted


If anything, this will lead to more spam.

 

Google is great about blocking spam.  I never get any spam in my INBOX and it all goes to the spam folder....so I never see it.  Cannot say that for Yahoo email and I dont really use my Outlook account ATM.

Share this post


Link to post
Share on other sites

Posted

On the face of it this sounds really good, but I think it will only affect legitimate email campaigns in the long run. Spammers will be unaffected at best and, depending on how it works, could even use it to identify registered Gmail addresses en-masse.

The cynic in me wonders how long it is before Google start selling "email analytics" to those who run email campaigns.

what? how?

 

They wouldn't have to open all of them, just some of them at random.

that's true, although the exact percentage of opened vs. unopened would have to be worked out so it's a non-negligible amount compared to legitimately opened mail. I suspect that would still account for quite a large volume of traffic.

 

Google's proxy servers request the image each time you open a message which means that spammers will know that your email address is active if they embed unique images in emails. 

 

From Google's support page:

 

 

If anything, this will lead to more spam.

 

i guess that means they don't open anything sent to nonexistent addresses.

Share this post


Link to post
Share on other sites

Posted

From what people are seeing, Google downloads the images when they receive the email (Maybe for non-existent addresses? not sure), and for some users they re-download the images every time the email is opened (Which makes the whole thing useless)

The one upside is that the marketers don't see the source IP/UA info, but they can still detect valid/invalid accounts, and when a user opens the mail.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.