DNS Pre-fetch Exposure on Thunderbird and Webmail

Published @Sat, 23rd Jan 2010
When you view an email in Mozilla Thunderbird, it looks at each of the URLs in the body, and does a DNS lookup on each of the domains. It does this so the page loads faster if you click on the link. It doesn't just happen on HTML emails, it also happens for plain text emails. Viewing the body in "Plain Text" mode rather than the "Original HTML" or "Simple HTML" modes doesn't prevent it either. This also happens when using webmail clients like GMail and Hotmail and I will discuss that further down the article.

Email clients tend to have a configuration option to prevent remote images from being loaded, and on sane clients this is set by default. If a remote image is fetched to be displayed inside an email, the sender can determine that the email has been read, when it was read, and the IP address it was read from. Even if remote images are disabled in Thunderbird, the DNS prefetching still takes place.

A spammer with the domain "example.com," could send out a mail-shot to all of their addresses, with each email containing a URL with a unique domain. Eg:

http://emailaddressX.mailshotY.example.com/

They could configure the DNS server on example.com to log all DNS queries. This is simple to do using the Bind DNS server:
logging {
    channel query_logging {
        file "/var/log/bind/query" versions 3 size 100M;
        print-time yes;
    };
    category queries {
        query_logging;
    };
};
They would then write a simple script for tailing the log file at /var/log/bind/query looking for DNS lookups containing "mailshotY.example.com".

I tested this on the very latest version of Thunderbird (3.0.1), on both OSX (Snow Leopard) and Windows XP; both were affected. I also tested on Apple Mail and Outlook 2007, neither of which were affected. I didn't bother testing Mutt or Pine.

This issue seems to have been discussed back in May, but they don't seem to have done anything about it.

Worryingly, this issue also affects viewing email in webmail clients. I tested it using hotmail and gmail and both did DNS prefetching on the URLs in the email body. Using HTTPS rather than HTTP disables DNS prefetching. Luckily for GMail users, they recently made all requests HTTPS by default. This would be easily fixed in webmail clients by using X-DNS-Prefetch-Control. In the HTML just before the email is displayed, you would put the following tag to disable prefetching:

<meta http-equiv="x-dns-prefetch-control" content="off">

In the HTML immediately after the email you would turn DNS prefetching back on with:

<meta http-equiv="x-dns-prefetch-control" content="on">

Update:

Patches for the Webmail clients IMP (ref) and RoundCube (ref) have been produced. If you're serving Webmail with Apache, you can patch this problem in the web server it's self by adding some mod_headers config like this:

Header set X-DNS-Prefetch-Control "off"

If you're using Thunderbird, you can fix the problem locally by going into the advanced config editor and adding a preference named "network.dns.disablePrefetch" with a boolean value of "true"


If you want to read more stuff like this, follow my blog rss twitter or check out the rest of my articles: All, Email related, Privacy related, Spam related. If you found this article helpful, interesting or entertaining, and wish to donate:If you need a freelancer or some consulting, you'll find me at Cardwell IT Ltd.

CommentsAdding comments disabled for this post