Yesterday, German researcher publication, Heise, reported an interesting vulnerability in how OS X handles e-mail remotely-hosted images during a Spotlight search. Let’s briefly discuss what the concern is, how your e-mail should be setup, and how to counter Spotlight’s unfortunate default behavior.
The Dangers of Remotely-Hosted Images
By default, many e-mail clients are set to display both embedded images and remotely-hosted images. You should absolutely not have remotely-hosted images displayed by default. When an e-mail has the image remotely-hosted, it contacts the originating server with information about the recipient without meaning to do so. Spammers and phishers commonly do this to determine e-mail address validity as well as basic system information, all without the user’s explicit consent. If you haven’t already, go into your e-mail client right now and disable that. Right now. I’ll wait.
Spotlight Hear’s ya, Spotlight Don’t Care!
OS X’s Mail application listens to your appropriate distrust of remotely-hosted images in your e-mails, but much like Willie, Spotlight doesn’t care! When any e-mail comes up in a Spotlight search, it automatically displays any images, including remotely-hosted ones. With embedded images, it looks pretty cool, but with remotely-hosted images, it’s annoying, especially when you’re not looking for anything in your e-mail. The easiest way to stop this troublesome default behavior is to go into your System Preferences, Spotlight, and uncheck Mail and Messages so it won’t search your Mail or Messages applications. If you need to search these things, you can still do so with each of their own built-in search functions, and Mail will still respect your privacy-minded setting.