Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Currently, the only way to block this information leak is to block Spotlight from including emails in search results entirely by opening System Preferences and unchecking the "Mail & Messages" option for Spotlight. Apple has yet to comment on this Spotlight privacy glitch.

That was one of the first things I did on both of my Macs after installing Yosemite...I didn't need a data breach report to convince me that this was not how I wanted Spotlight to work.
 
Hmmm....this is interesting. Last night I did a spotlight search in mail. Today I opened Mail and my emails were deleted from yesterday back until August '14.

I was assuming it was a server issue until I saw this thread. I use my ISP provided email and the emails were deleted there too. :confused:
 
It's amazing how Spotlight can expose all these details, while still obstructing everything else I do by being straight into my face. I have to memorize every number or detail I see, or write it down in TextEdit, because once I open Spotlight to enter it I can't see a damn thing.
 
Apart from Spotlight issues mentioned in the article, I believe that there's a bigger issue involving OS X at hand, which has been mentioned by others on this forum — it's just another sign of OS X releases being unnecessarily rushed. I believe that Apple shouldn't be putting out yearly OS X upgrades just for the sake of it and focus on rock solid stability instead. If it takes two years for another OS to be published, then so be it. This yearly upgrade cycle that started with Lion is nonsense in my opinion and experience.
Mountain Lion didn't add anything that called for a new OS, they could've added things like Notification Center and Notes as updates to Lion, while working on Mountain Lion for another year and release it bundled with under the hood improvements that Mavericks brought. And then wait another 2 years to polish the Yosemite and release it as another, brand new OS. The 2 year interval would allow them to make the systems solid and fix bugs and glitches. Now it looks like this: they release a new OS, there are many, many bugs (compared to Snow Leopard for example), like the one that made WiFi crap out (I had this issue with Yosemite, but read that others experienced it with previous OS X editions). They patch some things up, but before the OS is solid and mature enough, there's the 1 year mark and it's on to another version and the whole cycle repeats.
And for me at least, it's pointless. I could've lived without the negligible new features of Mountain Lion or Mavericks (like I really needed Maps on my desktop that much) and just enjoy a steady OS X experience until they have polished the next OS. It's not like they have to compete with Windows - people buy Mac for the looks, ease of use and the ecosystem. None of the features introduced with Mountain Lion or Mavericks were selling points. My girlfriend couldn't had been able to tell the difference between Lion and Mountain Lion if I hadn't told her I had updated her Mac. And then she noticed that the remaining battery time information has been hidden and she was pissed (honestly, I still don't get it why they had hid it).So basically no one excepts geeks like me noticed the new OS X releases and and fewer people knew what those releases "where about".
 
Lucky, i'm still on Mavericks.. :eek:

IP address are public anyway.... this isn't personal info. and private IP's are non-rotatable (can't go over internet).

This further points out never load images in mail. If users like rich text/HTML images in email, they pay the price.
 
Last edited:
Apart from Spotlight issues mentioned in the article, I believe that there's a bigger issue involving OS X at hand, which has been mentioned by others on this forum — it's just another sign of OS X releases being unnecessarily rushed. I believe that Apple shouldn't be putting out yearly OS X upgrades just for the sake of it and focus on rock solid stability instead. If it takes two years for another OS to be published, then so be it. This yearly upgrade cycle that started with Lion is nonsense in my opinion and experience.
Mountain Lion didn't add anything that called for a new OS, they could've added things like Notification Center and Notes as updates to Lion, while working on Mountain Lion for another year and release it bundled with under the hood improvements that Mavericks brought. And then wait another 2 years to polish the Yosemite and release it as another, brand new OS. The 2 year interval would allow them to make the systems solid and fix bugs and glitches. Now it looks like this: they release a new OS, there are many, many bugs (compared to Snow Leopard for example), like the one that made WiFi crap out (I had this issue with Yosemite, but read that others experienced it with previous OS X editions). They patch some things up, but before the OS is solid and mature enough, there's the 1 year mark and it's on to another version and the whole cycle repeats.
And for me at least, it's pointless. I could've lived without the negligible new features of Mountain Lion or Mavericks (like I really needed Maps on my desktop that much) and just enjoy a steady OS X experience until they have polished the next OS. It's not like they have to compete with Windows - people buy Mac for the looks, ease of use and the ecosystem. None of the features introduced with Mountain Lion or Mavericks were selling points. My girlfriend couldn't had been able to tell the difference between Lion and Mountain Lion if I hadn't told her I had updated her Mac. And then she noticed that the remaining battery time information has been hidden and she was pissed (honestly, I still don't get it why they had hid it).So basically no one excepts geeks like me noticed the new OS X releases and and fewer people knew what those releases "where about".

This reads like the script from the latest MacBreak Weekly on TWiT.
 
That's not how it works. Spam email lists are traded for money. Lists with confirmed active addresses fetch more money because they increase the hits/mails sent ratio. If you confirm to every spammer that your address is active by downloading their tracking images, you are almost guaranteed to receive more spam in the future than you otherwise would have.

Sure I know that too - Or you have a good spam filter on your email server. All my HTML images setting are on etc. I get maybe 1 spam mails out of 500+ mails a week. Click as junk and never again.

Point is this is utterly overblown as a MAJOR issue.
 
Am I the only one that rarely uses Spotlight? Don't get me wrong, I love spotlight especially the revamped one in 10.10. However, I just don't think about Spotlight when launching an application or searching for files. I mostly just hit the Launchpad shortcut on my keyboard and use the terminal for searching for/in files.

I guess I just need to force myself to use it more often and hopefully after a while I'll launch more by reflex.

I use spotlight for a lot including opening apps. The new one is even quicker. You may only be saving a few seconds but it sure improves your workflow.
 
Quite a serious security hole. Apple needs to get this fixed ASAP. However, knowing them they'll just ignore it and maybe push a fix in six months time.
 
He might have gotten bad press for his dedication to perfection, but in fact, this is what made OS X great, and eventually the dragon slayer of Microsoft in the foible department.
Now we've got a mountain of snafus to point to, makes you go hmmmm......
Please, programmers, stop rushing to get crap out the door.
You have opened beta testing to the masses, use the data retrieved wisely.

Some monumental defects in OS X and iOS were release in Steve's time.

How about Snow Leopard (which everyone thinks as some high point in OS X), which when released would wipe your home folder when you logged out if you had installed over a previous version that had the guest account available. Yes that's right it would delete ALL of your data.

or iPhone OS 3 where malicious text messages could be used to take complete control of the phone.

The biggest difference now, is that Apple is a bigger target. They have always been vulnerable.
 
Do you primarily receive wallpapers and greeting cards for your emails?

Nice one, but no. Commercial emails from companies where much of the content is in html. I tried it when I saw this issue, and most of my emails had a whole lot of stuff missing. I have good spam handling so nearly all the emails I receive, I want, so whilst they may well be tracking if I receive the emails they sent, I dont care as I asked them to send them to me.

----------

Hmmm....this is interesting. Last night I did a spotlight search in mail. Today I opened Mail and my emails were deleted from yesterday back until August '14.

I was assuming it was a server issue until I saw this thread. I use my ISP provided email and the emails were deleted there too. :confused:

That has got nothing whatsoever to do with this issue which hasnt suddenly arisen yesterday its been there some time.
 
Ok. For those of you who need or still want to use Spotlight to be able to search their mail, here is a simple and uncomplicated plan: Use a decent Anti-Spam filtering program such as Spam-Sieve. Once set up, Spam-Sieve (or whatever decent program you choose) will have it's own folder structure created within your Mail app Library folder. Some differences may appear but it will basically look like this: (/users/YourUserNameHere/Library/Mail/V2/Mailboxes/SPAM-SIEVE.mbox

Obviously, YourUserNameHere and SPAM-SIEVE will be replace by whatever your username is and whatever your Anti-Spam folder is called.

Next, create an alias of your Spam folder (in this example it is SPAM-SIEVE.mbox mentioned earlier) and put it in your Documents folder or wherever you choose. Next, under the Spotlight preferences, select the "Privacy" tab and click on the "+" icon to add this alias folder to the list of folders that you want Spotlight NOT to search.

This way, you still have the option of having Spotlight search your emails (which can be quite usefule and helpful) but NOT emails that are deemed to be SPAM. You could theoretically also use this technique with your Mail App's "Junk" folder as well but I find that the Mail App's Junk folder never works like it should and is pretty much worthless (hence the need for something like Spam Sieve).
 
I do know it had bad spell around a year ago for GMail users: Google doesn't follow normal email standards (which isn't a criticism: GMail is meant to be different) and Apple's attempt to improve how that was handled did not go smoothly. But it was addressed, and GMail seems fine now through Apple Mail: most of the mail I get is through Google in fact.

I ended up quitting Gmail because they didn't conform to standards and because I was suspicious that they were leaking my contacts, but my school email is Gmail anyway. It's working fine for me, but my friend had issues setting up Gmail with Mail on his Mac due to this. Google kept saying it was a hacking attempt when he tried to log in. I checked their help, and it said I need to enable access for "insecure" devices, so I did. Yes, the help said that all mail clients count as something "insecure" and that I should use the Gmail web mail and the Gmail iOS app instead. What clowns!

----------

Noted. This "tracking pixel" technique is something I should have used when I was trying to figure out who was behind that anonymous Facebook page at my school. I tricked him into visiting my website and took his IP address, but he was using the Tor browser, so it was useless. An email with a tracking pixel would have worked.
 
Uhm... say what?! In which century you said do you live again?

**** hell yeah, you can bet your ass that spammers have a "Mail Send Filtering", as you call it!

Ever heard of "Web Bugs"? Here, I'll get you started: http://en.wikipedia.org/wiki/Web_bug



You don't need to click on anything! That's the whole ****ing point! Quick, get yourself educated, e.g. with the URL given above!

And then check your iDevice/OS X Mail settings and uncheck that option "Load images from servers"! (Since Apple leaves that option checked by default - bummer!). Pronto!

Don't let them spammers know that their emails are actually read!

(And the fact that I still get spam every then and when slipping through all the filters shows me that there are still boneheads actually ordering and clicking on stuff!)

That was ten exclamation points we could have done without of.

----------

What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.

Or use a VPN with TOR as much as possible.
 
Last edited:
All this talk about such a small issue...

I created a bug report at radar.apple.com.
Now let's move on.
 
Sorry but its getting brutal how buggy apple operating systems are getting. Yosemite still having wifi issues?

I miss the day when both ios and osx were rock solid.

Amen to that. Yosemite has been nothing but problems for me. I'm now on a clean reinstall here, which has made wi-fi usable, but I still turn wi-fi off and on every so often to get some life out of it. Mail works when it feels like it. Sigh. I only just sent Apple a message via their feedback page the other day to tell them how frustrating this is getting. I agree, it's iOS as well. Nothing from Apple feels very reliable at the moment.

This is a minor bug. What percentage of users actually disable displaying remote images in HTML emails? Probably not many (<1%).

Another Apple apologist with made-up stats. I don't know what percentage of users have remote images turned off for the reasons stated in the article, but I can say that I'm one of them. And all this time I may as well not have bothered, because Apple is passing that info to spammers via Spotlight and Mail anyway. I'm actually pretty pissed off about this, and I think I have every right to be.
 
What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.

Yes, almost every website you visit will log your IP address and will know your user agent, which contains your OS version and stuff. But the spammers also learn which IP address was used to access which email account, information that most websites wouldn't obtain.

It IS a security hole. I still personally wouldn't worry about it because it's not a big deal anyway. What I am worried about is that Apple made yet another dumb mistake in a new version of OS X. And people here ask why I don't jump on updates...
 
I always assumed that Spotlight would honour the same settings as in Mail. When you go the general tab of Mail settings, at the bottom you can exclude certain mailboxes as well: spam and trash. I've always excluded those, so within Mail I can't search these mailboxes. Spotlight, however, seems to ignore these preferences and just searches all of them. Spotlight shouldn't even show me any spam or trashed e-mails to begin with, let alone ignore Mail's own security mechanisms to prevent issues like the present one.

Both are the kinds of things that Apple used to do well. I'm starting to think that they've scrapped lots of the previous Spotlight code to implement the changes, forgetting to plug all the holes in the process and rushing to release it. Not to mention that Spotlight still crashes so often even on 10.10.2 beta, it's been the most unstable as it has ever been.
 

Attachments

  • Screen Shot 2015-01-11 at 11.26.19.png
    Screen Shot 2015-01-11 at 11.26.19.png
    94.9 KB · Views: 73
The quality of apples software (both OS X and iOS) is spiralling out of control to the point windows has far less bugs and errors. Its a complete mess, apple need to pause, take a breath and get a grip.
 
So you may receive a spam message, they get your IP address, determine your location, and then you start seeing web ads as a result. It's all about the data.
And this becomes a problem for spam filters - because they're less likely to filter such messages out. Spam filters rely on certain traits in a message that become less commonplace the more targeted the spam gets.

Additionally, many spam filters rely heavily on spam clients to be 'hasty'. Which they pretty much need to be. But if your email address is confirmed, they don't need to be 'hasty' anymore, and several defensive measures are defeated.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.