Tracker pixels are surprisingly commonly used by legitimate senders… your bank, your insurance company, any company you patronize. These assholes hide a 1-pixel image in HTML that tracks when you open your email and your IP (thus whereabouts).
I use a text-based mail client in part for this reason. But I got sloppy and opened an HTML attachment in a GUI browser without first inspecting the HTML. I inspected the code afterwards. Fuck me, I thought… a tracker pixel. Then I visited just the hostname in my browser. Got a 403 Forbidden. I was happy to see that.
Can I assume these idiots shot themselves in the foot with a firewall Tor blanket block? Or would the anti-tor firewall be smart enough to make an exception for tracker pixel URLs?
As long as your graphical email client has the loading of remote images turned off, the tracking pixel won’t be visited.
Most/Many email software has this be default or can be enabled: Thunderbird, iOS Mail, FastMail app and website, etc.
Text-based email is cool though. My college had us using Pine back in the day.
I suppose you could even say text-based clients are at a disadvantage because when we opt to render the HTML graphically, a full-blown browser is launched which is likely less hardened than something like whatever profile and engine Thunderbird embeds.
In my case I created a firejailed browser with
--net=none
so I could hit a certain key binding to launch the neutered browser to render an HTML attachment in a forced-offline context— but I was too fucking lazy to dig up what keys I bound to that which is why I (almost?) got burnt.Good idea to open HTML attachments in an isolated browser. I normally open them in lynx but sometimes it doesn’t work as intended.
For any (neo)mutt users out there, you can configure this quite nicely by defining your MIME handlers in
~/.mailcap
:text/html; firejail --net=none [...]
Then bind your Enter key to open attachments via mailcap:
bind attach <return> view-mailcap
In neomutt I ended up customizing the print function. So if I “print” an attachment, it launches a script that runs
wkhtmltopdf
insidefirejail --net=none
followed by rendering in Firefox (also insidefirejail --net=none
), so I get an instant isolated firefox view as well as a PDF.I’m happy with that replacement because I would never want to send something straight to a printer anyway. I would want to preview before printing. And the print function is documented right on the screen when looking at attachments, so no key binding to try to remember.