Northward Midget Pole to Pole


Thunderturd! or: How I Learned To Stop Griping and Allow Remote Content

I'm working from home, and our company's outsourced webmail leaves much to be desired.  My desktop is Windows 7, since it offers the compatibility necessary in the corporate world, while most of my work is done through an xterm launched from my Linux box over CAT6.

Rather than keeping up multiple webmail windows or collecting them all through one service (which usually leaves me with duplicate synchronizations across devices), I decided to choose an email client.  First, it was Windows Live Mail, and I liked it-- for the most part.  Then, we were asked to standardize on a signature with images, and Live Mail didn't seem to allow that.  It also didn't have much flexibility in quoting replied messages.

I tried Outlook 2007 for a while, but it began hanging on IMAP more frequently than my blood pressure would comfortably allow.  I'd given Mozilla's Thunderbird a whirl, but something about it really pissed me off at the time.  I tried it again.

Decent.  Open Source, so there are updates, and I could hack the goddamned code if I wanted to fix something real hard.  The most annoying quirk was the "Allow remote content?" pop-in panel.  It seemed to have an all-or-one idea of what should be allowed, where one could show all remote content, or approve single email addresses.  This was a nuisance with, for example, notifications from Google+, which are "From" a generated email address.  Thus, adding that address to your contents did nothing but bloat your contact list.

A bit more digging found that Thunderbird had the same "about:config" back-door to its internal configuration properties as its brother-father-cousin Firefox and Mozilla and Netscape, and within there was a mail.trusteddomains setting.  One opens this menu through the "Tools" option in the menu-bar, under "Options...", and then:


According to the arcane documentation available, opening this dialog and setting this property to a comma-delimited list of domain names would instruct Thunderbird to automatically load content (n.b.) from those domains.  Each entry should be a single base domain name-- not a subdomain.  That is, "" rather than "".

Adding "" didn't work.  I searched some more, then this morning came across a question on a Thunderbird support site -- posted almost a year ago and without a resolution.  So, I went to semi-angrily post my response, then realized-- "Hey, me.  It surely isn't just white-listing domains based on an email address.  If it were, anyone using a gmail account could just plop in an externally-hosted image in an HTML message and have it trusted."  So, I viewed the source of this particular Google+ notification.

Two images: one from and another from

Short answer?

Set mail.trusteddomains to,, ...


And now, they will load.  This won't help much if images are loaded from a CDN, and it's a bit of a nuisance to "View Source" on a message, search and record each "img" tag's domain, then add them all to the property, but-- it works.

One final commentary which would be a sidebar if I knew how to do it in WordPress: Why not just allow all remote content?  At first, even though I'm a hacker and a cracker and I think I always will, I almost just said "fuck it, it's just cookies!"  A second later, I realized that any image being loaded involves a hit to where that image is hosted, and while that URL might indicate it's just plucking a .jpg, it could be doing anything.  It probably isn't running a script on your mail client (I doubt Thunderbird would allow that), but it could certainly be recording that the message was read, and where it was read from, and all manner of other invasive maneuvers.  At its most innocuous, it could serve as a reasonably accurate "Read Receipt" for mail sent to anyone who trusts you-- although they probably won't trust you as much if/when they realize you're doing that.



Posted by Quinn

Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.