EPIM enail privacy risk.
Moderators: TerryRogers, Max
-
- Expert
- Posts: 73
- Joined: Tue Jun 09, 2020 6:46 am
- Been thanked: 4 times
EPIM enail privacy risk.
I was looking through my firewall log and found a ton of hits to spy and tracking companies coming from EPIM. I tracked it down to the emails.
It appears EPIM is in desperate need of privacy improvements for it's email system as it's rendering engine is being heavily exploited even with the display of images turned off. There's really no point in not displaying images if all the tracking hits are going to go through anyway.
I checked four other email clients I used and none of them are suffering from this issue.
It appears EPIM is in desperate need of privacy improvements for it's email system as it's rendering engine is being heavily exploited even with the display of images turned off. There's really no point in not displaying images if all the tracking hits are going to go through anyway.
I checked four other email clients I used and none of them are suffering from this issue.
Re: EPIM enail privacy risk.
Is this also true for spam-emails when I checked "Automatically mark spam messages as read"? This really would be bad!
Re: EPIM enail privacy risk.
This has been talked about before somewhere...
My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.
Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.
The email you need to be the most concerned about for privacy mining are order invoices, company news letters, opt-in marketing lists, social network notices, various account update notices...etc. Which are all normally things you don't want marked as spam, and usually even want to read.
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
Re: EPIM enail privacy risk.
I know, I remember. But not with exactly this information SilverSound wrote.This has been talked about before somewhere...
Thus is exactly, what I wanted to hear! Is this here a "I like EPIM" bubble??My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.
Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.
Thanks, MetalDrop!
-
- Site Admin
- Posts: 21714
- Joined: Wed Dec 08, 2004 11:39 pm
- Has thanked: 819 times
- Been thanked: 364 times
- Contact:
Re: EPIM enail privacy risk.
SilverSound, please turn off rendering of images and if the requests still come through, please export this email to EML and attach here or send via email.
Normally this should not be happening.
Normally this should not be happening.
Maxim,
EPIM Team
EPIM Team
-
- Expert
- Posts: 73
- Joined: Tue Jun 09, 2020 6:46 am
- Been thanked: 4 times
Re: EPIM enail privacy risk.
Attached is:
An email
A photo of my email display settings
A photo of the firewall log showing all the connections blocked by the provided email.
- Attachments
-
- 2020_06_26_15_10 Films to Watch This Weekend.zip
- (28.32 KiB) Downloaded 150 times
Re: EPIM enail privacy risk.
Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.
-
- Site Admin
- Posts: 21714
- Joined: Wed Dec 08, 2004 11:39 pm
- Has thanked: 819 times
- Been thanked: 364 times
- Contact:
Re: EPIM enail privacy risk.
We will be checking this, thank you! So far I appear to be able to reproduce the issue.a8907433 wrote: ↑Mon Jun 29, 2020 4:26 pm Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.
Maxim,
EPIM Team
EPIM Team
-
- Expert
- Posts: 73
- Joined: Tue Jun 09, 2020 6:46 am
- Been thanked: 4 times
Re: EPIM enail privacy risk.
In version 9.1.1 the email I posted earlier no longer seems to leak. However others still are leaking with images turned off.
Attached are three of them along with screenshots of what was blocked.
Attached are three of them along with screenshots of what was blocked.
- Attachments
-
- Email leaks 9.1.1.zip
- (53.59 KiB) Downloaded 146 times
-
- Email Leaks 9.1.1 Extra email.zip
- (48.65 KiB) Downloaded 144 times
-
- Site Admin
- Posts: 15601
- Joined: Thu Nov 25, 2004 3:12 am
- Has thanked: 1411 times
- Been thanked: 984 times
Re: EPIM enail privacy risk.
Thanks, will have a look at it again.
Android version of EssentialPIM. Keep all your data in sync!
-
- Site Admin
- Posts: 15601
- Joined: Thu Nov 25, 2004 3:12 am
- Has thanked: 1411 times
- Been thanked: 984 times
Re: EPIM enail privacy risk.
We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
Android version of EssentialPIM. Keep all your data in sync!
-
- Expert
- Posts: 73
- Joined: Tue Jun 09, 2020 6:46 am
- Been thanked: 4 times
Re: EPIM enail privacy risk.
My setting are still the same from last time.admin wrote: ↑Sat Jul 04, 2020 3:04 pm We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
All external images are not allowed.
Re: EPIM enail privacy risk.
I'm seeing a lot of leaking still too.
My email display settings are the same, No external images, no exceptions for contacts.
Here are my results using ProcessMonitor and going through a couple of dozen recently deleted emails:
My email display settings are the same, No external images, no exceptions for contacts.
Here are my results using ProcessMonitor and going through a couple of dozen recently deleted emails:
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
-
- Site Admin
- Posts: 15601
- Joined: Thu Nov 25, 2004 3:12 am
- Has thanked: 1411 times
- Been thanked: 984 times
Re: EPIM enail privacy risk.
We use IE's rendering engine. When you open an email it renders out HTML, what it also does in the background, we have no control over. Although one thing is certain - it's not trying to load images when such option is enabled.
Android version of EssentialPIM. Keep all your data in sync!