Thunderbird: Free Your Inbox

By default, #Thunderbird automatically blocks images in your emails from being displayed -- because many of those images may contain tracking code.

(Sometimes these images are tiny "tracking pixels" you may not even see).

Take your protection one step further by installing #uBlock Origin to block all kinds of unwanted content in your RSS feeds -- it's now an official Thunderbird Add-on: https://addons.thunderbird.net/en-US/thunderbird/addon/ublock-origin/

#Privacy #Email

(EDITED FOR CLARITY)

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker that blocks ads, trackers, coin miners, popups, annoying anti-blockers, etc. in your feeds.

May 9, 2023 at 6:36amWeb
Show threadfrlanMay 9, 2023
@thunderbird What extra features does it actually add?
Show threadThunderbird: Free Your InboxMay 9, 2023

@frlan 2 great advantages: it works with RSS feeds (especially useful if you're viewing full web pages in Thunderbird -- it also blocks ads).

And if you want to load up your email images by default but still be protected, uBlock is a good solution.

Show threadMagicLike 🏳️‍🌈May 9, 2023
@thunderbird How cool is that - I have been waiting for a way to block trackers, whilst still loading at least some of the images!
Show threadThunderbird: Free Your InboxMay 9, 2023
@MagicLike It's also really useful if you use RSS feeds in Thunderbird.
Show threadcensored for “transphobia”May 9, 2023
@MagicLike @thunderbird hold on.. how is that possible? How does #Thunderbird distinguish a tracking image from a normal one? AFAIK, you can’t even get the file size using HTTP w/out signaling the server that that file is of interest to you, the signal of which sufficiently reveals you’ve opened the email.
Show threadJonnoMay 9, 2023
@thunderbird this is amazing!
Show threadGunChleocMay 9, 2023
@thunderbird Excellent! Installed 🙂
Show threadAntonMay 9, 2023
@thunderbird GEIL!
Show threadJohn DalMay 9, 2023
@thunderbird why would any image viewing software treat bytes in an image stream as code and then execute it? Really, I'm asking how do "tracking pixels" work?
Show threadKai Engert 🔑✉️ (:KaiE)May 9, 2023
@JohnDal @thunderbird here is an explanation:
https://en.wikipedia.org/wiki/Spy_pixel#Mechanism
Spy pixel - Wikipedia

Show threadJohn DalMay 9, 2023
@kaiengert Thanks. So it's considered a "good thing" in some circumstances and the clients which render the data streams as images look for these little packets of data and execute them? Bonkers. Personally speaking I'd like image rendering software which did just that, then we wouldn't ever need to block these little bits of crap.
Show threadKai Engert 🔑✉️ (:KaiE)May 9, 2023
@JohnDal the point is that images referenced in an email can be stored on a server that the sender of email controls, which allows the sender of the email to see (in log files) whenever an image was loaded. If the sender of the email uses a different image address for each email recipient, and the sender kept a list of email addresses and related image addresses, then the sender can learn which email recipient has loaded an image, and thereby learn that the email was read.
Show threadJohn DalMay 9, 2023
@kaiengert Thanks Kai. After a working life writing software, this all FEELS very flaky. I'll have a read up on it I think.
Show threadLeonardoMay 9, 2023
@JohnDal @thunderbird they are not: usally tracking pixels are embedded as white/transparent images by 1x1 size embedded in HTML mail body using an <img> tag, and therefore they are loaded via a remote URL. Now, this URL is usually associated with a tracking code of some sort; let's say the message contains something like this: <img src="https://my.tracking.com/whitepixels/tracking.png?messageCode=UNIQUEID"> : everytime an email client loads the message, it can request the image from the remote source, therefore exposing informations about the user and effectively tracking the message.
Show threadcensored for “transphobia”May 9, 2023
@JohnDal @thunderbird I think TB botched the explanation. The images do not likely contain code. There was a jpg vuln at one point where malicious code in a jpg got executed, but my understanding of tracking pixels is that an image 1 pixel big is on a server with a filename that is /unique to your email msg/. So simply fetching the file is enough to tell the server you opened the msg.
Show threadcensored for “transphobia”May 9, 2023
@thunderbird @JohnDal So if my understanding is correct, i don’t think a tracking image can be distinguished from a legit image b/c there’s no way to know if the filename is unique to the msg you received & no way to know if the server is tracking fetches. IMO, mutt offers the best protection. it shows only text.
Show threadcensored for “transphobia”May 9, 2023
@JohnDal @thunderbird In principle, you should be able to safely show images that are included in the msg payload while refusing to fetch any msgs from the cloud. Not sure if any MUAs work that way though. It sounds like TB is relying on uBlock to decide what to fetch. But in that case it could only be making guesses based on reputation. But plz correct me if I’m wrong.
Show threadcensored for “transphobia”May 9, 2023
@thunderbird @JohnDal #Mutt can be configured to call a /sandboxed/ gui browser. The sandbox can be #firejail with the --net=none option. So mutt could send feed the attached images to the browser but force the browser to run offline. This would give you a way to see all the definitively harmless images while nixing all fetched images to ensure no tracking image exploits you.
Show threadJohn DalMay 9, 2023
@koherecoWatchdog @thunderbird
Now that makes sense. Thanks!
Show threaddriedMay 9, 2023
@JohnDal @thunderbird in HTML emails, loading the image as an image means making a request to the server where the image is hosted, and the request can be used to infer information about the user's action on the email (that it was opened at a certain time from a certain IP at minimum, and they often include query parameters to more granularly associate the action to things like user profiles and ad campaigns).
Show threadLilith Ashley Nyx Arson May 10, 2023
@JohnDal @thunderbird https://en.wikipedia.org/wiki/Spy_pixel
Spy pixel - Wikipedia

Show threadLilith Ashley Nyx Arson May 10, 2023
@JohnDal @thunderbird tldr its usually just <img src="example.com/tracking.gif?mail_id=bunch_of_data_goes_here">
Show threadLilith Ashley Nyx Arson May 10, 2023
@JohnDal @thunderbird web server gets the data and reports it back to the mailer to show you read the email, usually done to see how many people read promotional emails
Show thread🇬🇧Daron BrewoodMay 9, 2023
@thunderbird Used it for ages. Great to see it included in the repository. Wish TB could block pixel tracking if you elected to download images in an email.
Show threadSoftSecretsMay 9, 2023
@thunderbird Wow!
Show threadSteve's PlaceMay 9, 2023

@thunderbird I use it in Firefox. It is exceptionally good at finding them.

I have in the past used ads on sites. The only way a site gets credit for showing one is for that pixel to display. We don't like subscription model sites but we block ads so sooner or later that model we don't like is going to become ubiquitous across the web if sites can't get sufficient ad revenue to stay afloat.

Begging doesn't seem sustainable without the cachet of public broadcasting.

I will still use it. Sigh.

Show threadProtofox RileyMay 9, 2023
@thunderbird this is actually super cool! privacy being added back into email is a great thing
Show threadBrian KruppMay 9, 2023
@thunderbird This is a great feature to automatically block images. Similar services will attempt to remove identifiers from images, does Thunderbird do the same? Also, what about removing a tracker from the link you posted? Right now, that page communicates with google-analytics.
Show threadVerđandi K SoldustyMay 9, 2023
@thunderbird
That's one very useful thing to learn/know.
Thanks very much. Now fixed it on my ThunderBird 👍 😀 .
Show threadDawn Tåke 🌙 May 9, 2023
@thunderbird
Just added! Very cool.
Show threadmorphMay 9, 2023
@thunderbird That's fine. It was installable anyway. But there are lotsa updates. So more convenient.
Show threadPeterMay 9, 2023

@thunderbird uBlock Origin doesn't work on emails, only feeds. So it doesn't block trackers.

www.reddit.com/r/uBlockOrigin/…

uBO not filtering in Thunderbird

It's not meant to work on emails, just webpages pulled from feeds. uBO does not have access to your emails.

reddit
Show threadThunderbird: Free Your InboxMay 10, 2023
@bwpanda Apologies for the misunderstanding. We'll clear it up.
Show threadJP   May 10, 2023

@thunderbird @jamesp I did not know this. Will add next time I’m at my desk.

#thunderbird seemed stuck in the 80s for so long and has now leaped into the early 2030s  ok, maybe not that far but so much nicer than it was and I’ve been using Thunderbird since the dawn of time 

Show threadThunderbird: Free Your InboxMay 10, 2023
@jppelt @jamesp Thanks for sticking with us!
Show threadtyilMay 10, 2023
@thunderbird Just use plaintext email, it solves virtually every problem you can imagine with the modern email industry. And it's already supported by every client, too!
Show threadRyek DarkenerMay 10, 2023
@thunderbird
Done.