Yosemite Spotlight, spam email, tracking pixels, and what you need to know
By default, OS X Yosemite's Mail app won't "load remote content" such as the types of images typically requested by marketing emails and spam. You can change that in preferences if you really want to see remote images in your emails — such as the products being advertised by Apple, Best Buy, or other retailers in their mailings — but if you accidentally or deliberately click on spam, those images will load too. Even with "load remote content" left off, however, if any such marketing or spam email shows up as a Spotlight search result, Heisse reports that such remote content will load. So, what's going on and what can you do about it? ITWorld translates:
When you visit a website, that website gets information about you. That includes your Internet Protocol (IP) address, the type and version of computer operating system and browser you're using, and other technical details. Your IP address can be used to determine your Internet Service Provider (ISP) and the general area where you're located. If you've ever used something like Google Analytics — which most sites, including iMore, use benignly to figure out how many readers come here, from where, and what they're reading the most — then that's the type of information that can be collected.
As described above, email can be turned into a pseudo webpage by requesting server-side images — including tracking pixels — be loaded into them. Instead of attaching an image, which embeds the image in the email, they pull it from a website: http://example.com/image.gif. If "load remote content" is enabled, that image will be pulled as soon as you open the email, and the website will get your IP address and other information just as if you visited the site directly.
The issue here is that even if you have "load remote images" turned off in Mail, Spotlight will still load them. So, if a search you type into Spotlight returns a marketing or spam email message as the Top Hit, it will automatically load those images, and if it returns it as a Mail & Messages hit, and then you click on it, it will load those images.
I typically leave "load remote content" on, so I'm not overly concerned about this. I find it annoying to have to click on the "Load Remote Content" button every time I want to see an Apple or B&H or other product email I've subscribed to. A combination of Gmail, iCloud, and Mail.app anti-spam means I almost never see spam anyway, and I don't click on them when I do. I also delete my spam messages frequently. So, I've also never, in all the years Spotlight search has been available, had a spam mail message return as the first, automatically previewed, result.
My guess is most people are similar, and won't run into this problem either. That said, it is a problem, and some people are really and rightly concerned about online tracking, especially those being stalked. It would absolutely behoove everyone if Spotlight, when providing Mail results, honored the "load remote content" setting in Mail.
Hopefully Apple will implement that as soon as possible. In the meantime, if tracking pixels are a concern, you can disable Mail as a result type in Spotlight. It's less convenient, but that's typically the price we pay for security.
Although Apple has almost certainly been notified about this issue, I've also filed a bug report with Radar, should anyone with access want to dupe it.
Bug report: rdar://19439666
Get the best of iMore in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
you can already whitelist e-mail senders in mail so why not add a setting that allows you to view remote content in spotlight search only on e-mail senders that are white listed.
it's not just about ads. it is also a security risk to allow remote content from spam e-mails.