OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers

[BlendedFrog]

You're comment is hilarious! LOL Webmail like Gmail and Yahoo is often a worse offender and gives all kinds of info away. try again HAHAHA!

I use mail app, and I love it.

Come call me when the mail app can even remotely use an exchange account correctly. Email rules are at best ****** and at worst laughable.

Outlook is by far the best webmail portal around. I cannot figure out why people still use a desktop client for personal email accounts.

 

[till213]

Do you think that Spammers have any form of Mail Send filtering at all.

Uhm... say what?! In which century you said do you live again?

**** hell yeah, you can bet your ass that spammers have a "Mail Send Filtering", as you call it!

Ever heard of "Web Bugs"? Here, I'll get you started: http://en.wikipedia.org/wiki/Web_bug

They send billions of mails. Facebook ads - what... how they doing that then? Even i they can... who gives a crap... I am not clicking on any. Major is pushing it I think. Slightly annoying at best.

You don't need to click on anything! That's the whole ****ing point! Quick, get yourself educated, e.g. with the URL given above!

And then check your iDevice/OS X Mail settings and uncheck that option "Load images from servers"! (Since Apple leaves that option checked by default - bummer!). Pronto!

Don't let them spammers know that their emails are actually read!

(And the fact that I still get spam every then and when slipping through all the filters shows me that there are still boneheads actually ordering and clicking on stuff!)

 

[Michaelgtrusa]

Well I still have Alfred app.

 

[nostaws]

I'd like to know what percentage of OS X users actually use mail. I actually sit at my computer with my phone in hand, and I exclusively check my mail on my iPhone. If I have to type out a longer thoughtful response, I will then use my browser to login to gmail/yahoo/whatever to craft my email.

I'm going to go back to using Alfred I think.
This new Spotlight has been rubbish for me

Agreed. I have hated spotlight for a long time. It just seems real hit and miss.

 

[ChrisCW11]

Yeah

Congratulations Apple on selling more phones and apps in 2014 than any other year...at the expense of quality.

 

[till213]

That is actually very untrue.

This is actually very true.

The majority of the spam computers that send out those spam emails have no way of monitoring your specific email account.

Quick hint for the wanna-be spammer: it does not have to be the same computer that sends the email which needs to track the emails. (In fact, I would guess in 99% of all cases it is not: you don't want to use your own computers/IP addresses to send spam from - that what you have your "Botnet" for which you can control)

They don't track if the email is valid, either.

Yes they do. And that's worth actual money! Confirmed emails get you so much more money when you sell them. Fact.

If they get a bounce back saying the email doesn't exist, they still continue to send repeated emails.

See above: bounce-backs are totally meaningless, since a) sender addresses are forged anyway and b) even the real sender's address (which is easy to evaluate) doesn't belong to the spammer either (but to some random ignorant dude out there on the internet, whose computer/router/NAS/whatever hacked device is used as bot).

Scam pixels are often used just for overall statistics, like "20% of the people we send ads to are in this part of the world using this version of OS X".

This too.

This would also require that a DIFFERENT version of the spam pixel is loaded for each email, so they could uniquely target each person they send the email to. It's much more cost-efficient to just send out mass emails, rather than track each of the millions of emails individually.

Cost efficient? What are you, a bean counter? Tell me, what do you think what it costs (in any "currency": CPU power, electricity, you name it...) to generate 1 Mio emails with a unique tracking ID, store the corresponding ID/email pairs in a database, batch those generated email contents to your botnet and have it send those 1 Mio emails each by its own?

And compare this cost against the win you will have, once you can prove how many of your email addresses are actually "valid" when you re-sell them?

 

[Rigby]

This is a minor bug. What percentage of users actually disable displaying remote images in HTML emails? Probably not many (<1%).

Well, you should (also on your iOS devices, BTW). Many other email clients have this setting enabled by default.

Most commercial emails link to remote images and disabling the images take away most of the email content.

You can still download the images for individual mails by clicking a button. They just don't get downloaded automatically for every email.

Overblown... Comical how people jump on minor things just to complain.

Well, if you like spam. The way spammers use tracking pixels works like this: They send out thousands of emails each with a unique identifier encoded in the URL for the tracking pixel. When you receive the mail, the Mail app automatically downloads the remote image of the tracking pixel using the unique URL. This tells the spammer (who runs the server that hosts the images) that this particular email address is valid and active. They then "promote" your email address to a list of high-value addresses, which will receive even more spam in the future.

 

[Amazing Iceman]

I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.

There are hundreds of ways for spammers to go around this type of security.
Just by being connected to the Internet you are exposed. The only 'possible' way to hide yourself would be to use a proxy, and still, I can already come up with more ways to bypass this.
The fact is that once you are online, forget about total privacy.

 

[Casiotone]

I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.

Please explain how they can "cross reference your purchasing habits with your IP address"?

 

[prowlmedia]

You can target a single person with a Facebook ad. This is how they do it.

That is awesome. A fair few caveats though.

 

[logicstudiouser]

Snow leopard all the way!

 

[spacemanspifff]

Spam spam spam spam spam...

Please explain how they can "cross reference your purchasing habits with your IP address"?

Yeah, I'd like to know the answer to that one too.

Unless you have a fixed IP address - which most people don't then they can't be sure that you'll be at that IP address next time they send their crap.

I know that my router goes down at least once a week (yeah it's rubbish) but every time it does, on the re-boot I'll get a new IP address from my ISP. BTW my IP address is shared by loads of other people - so good luck trying to target me using that.

I find it very difficult to believe that these spammers are bothering to track their crap. In fact, I can tell they're not, because I have not received any targeted ads from them, just the usual scams.

I guess they are still getting some hits otherwise they wouldn't bother or perhaps because of the minute cost they just don't care either way.

 

[prowlmedia]

Uhm... say what?! In which century you said do you live again?

**** hell yeah, you can bet your ass that spammers have a "Mail Send Filtering", as you call it!

Ever heard of "Web Bugs"? Here, I'll get you started: http://en.wikipedia.org/wiki/Web_bug

You don't need to click on anything! That's the whole ****ing point! Quick, get yourself educated, e.g. with the URL given above!

And then check your iDevice/OS X Mail settings and uncheck that option "Load images from servers"! (Since Apple leaves that option checked by default - bummer!). Pronto!

Don't let them spammers know that their emails are actually read!

(And the fact that I still get spam every then and when slipping through all the filters shows me that there are still boneheads actually ordering and clicking on stuff!)

Article - TL;DR and yes I know what they are.

Nope. You completely missed the point. I mean they don't really care if you have active email or not. They send out millions in shotgun mails anyway. Its not worth their time to even set up a filter to stop spamming mail.

 

[Rigby]

Article - TL;DR and yes I know what they are.

Nope. You completely missed the point. I mean they don't really care if you have active email or not. They send out millions in shotgun mails anyway. Its not worth their time to even set up a filter to stop spamming mail.

That's not how it works. Spam email lists are traded for money. Lists with confirmed active addresses fetch more money because they increase the hits/mails sent ratio. If you confirm to every spammer that your address is active by downloading their tracking images, you are almost guaranteed to receive more spam in the future than you otherwise would have.

 

[TMRJIJ]

Come call me when the mail app can even remotely use an exchange account correctly. Email rules are at best ****** and at worst laughable.

Outlook is by far the best webmail portal around. I cannot figure out why people still use a desktop client for personal email accounts.

I been using an Exchange account on Mail for a while now. No problems what so ever. Please stop trolling, dude. Its not cool.

 

[MikePLP]

Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?

Use thunderbird.

 

[djdj]

That is actually very untrue. The majority of the spam computers that send out those spam emails have no way of monitoring your specific email account. They don't track if the email is valid, either. If they get a bounce back saying the email doesn't exist, they still continue to send repeated emails. They also aren't going to waste the time calculating "if you opened your email and read the ad", they're going to send you continual ads regardless.

Scam pixels are often used just for overall statistics, like "20% of the people we send ads to are in this part of the world using this version of OS X".

This would also require that a DIFFERENT version of the spam pixel is loaded for each email, so they could uniquely target each person they send the email to. It's much more cost-efficient to just send out mass emails, rather than track each of the millions of emails individually.

If you were to do some investigation you'd find that what you are saying is untrue. Very often each email is given a unique ID. They don't have to give a unique image file, but they can give a unique ID. For example, if you were to link to the MacRumors logo (at http://cdn.macrumors.com/images-new/logo.png) you could just add an ID on to the end (http://cdn.macrumors.com/images-new/logo.png?id=ABCDEFG) and the image still comes up just fine without a unique filename, but still contain a unique identifier.

Email messages are usually sent individually by spammers. It's pretty rare that we see messages sent using multiple BCC addresses these days. At some point each message has to be distributed uniquely per user anyway, so why not add that one additional line of code to add a unique identifier and other personalized information? It doesn't cost any more to do this. And it would be dumb not to. It actually saves money because they can eventually tell who isn't seeing the messages being sent so they can stop sending messages to those addresses that never view it.

It would actually be silly NOT to do this, as you can reach more people by knowing which ones are seeing your messages and ignoring the rest.

But if you don't believe me, go view the source of some spam email messages. You'll see unique identifiers, I promise.

 

[furi0usbee]

I'm going to go back to using Alfred I think

I never left Alfred. Spotlight sucks. With Alfred, I can simply type FIND, OPEN, or IN, and I can either find the file I want, open the file I want, or search inside the file I want (plus lots of other cool stuff).

I've done the exact same search with Alfred and Spotlight and I find what I'm looking for about 10x faster with Alfred. I use Cocktail to hide that Spotlight icon and use COMMAND-SPACE for Alfred. Works like a charm.

 

[coolfactor]

Am I the only one that rarely uses Spotlight? Don't get me wrong, I love spotlight especially the revamped one in 10.10. However, I just don't think about Spotlight when launching an application or searching for files. I mostly just hit the Launchpad shortcut on my keyboard and use the terminal for searching for/in files.

I guess I just need to force myself to use it more often and hopefully after a while I'll launch more by reflex.

Press Cmd-Space.
Type "ke", press Return.
Keychain Access launches.

Launching application using Spotlight could not be easier. That's may primary use for it. I also use it as a quick calculator. I just wish it didn't block out the middle 50% of my screen now.

 

[MikePLP]

I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.

Not exactly. Basically, the info that they're getting is exactly the same as when you visit any web site. The web server log DOES NOT log email addresses. There is no way that would know that YOUR email address is associated with that particular web hit.
Let's just say i know what i'm talking about as I used to be a web server admin.

 

[Casiotone]

Yeah, I'd like to know the answer to that one too.

Unless you have a fixed IP address - which most people don't then they can't be sure that you'll be at that IP address next time they send their crap.

I know that my router goes down at least once a week (yeah it's rubbish) but every time it does, on the re-boot I'll get a new IP address from my ISP. BTW my IP address is shared by loads of other people - so good luck trying to target me using that.

I find it very difficult to believe that these spammers are bothering to track their crap. In fact, I can tell they're not, because I have not received any targeted ads from them, just the usual scams.

I guess they are still getting some hits otherwise they wouldn't bother or perhaps because of the minute cost they just don't care either way.

Even with a fixed IP, random spammers can't track down my purchasing habits, unless they hack the servers of the companies I do business with to get the server logs, and at that point they may as well have stolen my email and other info from that server anyway.

 

[Jessica Lares]

I would have deleted the junk e-mail before I used Spotlight.

 

[rhoydotp]

Launching application using Spotlight could not be easier. That's may primary use for it.
...
I just wish it didn't block out the middle 50% of my screen now.

That's 99% of how I use Spotlight as well.

And it's a big annoyance that it's in the freaking middle of the damn screen! Is there a way to put this back to how it behaves previously (Mavericks and older). Sorry for the hijack!

----------

Even with a fixed IP, random spammers can't track down my purchasing habits, unless they hack the servers of the companies I do business with to get the server logs, and at that point they may as well have stolen my email and other info from that server anyway.

Exactly!

 

[NMBob]

Yet another reason why Little Snitch is my favorite tech tattletale.

The only thing that bothers me is that it comes with a lot of stuff allowed when you first install it. It's all "important" for the OS to run smoothly. I wonder how much of that stuff could really be blocked, or how much stuff is getting through those holes? There is so much crap going on behind our backs...I'm SO glad Apple is SO concerned about our privacy. Pfft.

 

[OneMike]

I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.

I think this does need to be corrected and is a valid concern.

However, unless I'm mistaken which is possible. This is assuming you didn't delete the email, correct? Typically spam is deleted within a few seconds of coming through.