Testing e mail

compleo

Valued Member
Just tried it & i received this pop up before i opened the e mail...
TEST.JPG

Test results show grey turned to red but i click on them to see results.They all show info that doesn't make any sense to me,such as
In the <body> of the HTML part, place a tag as follows:

<iframe src="data:text/html;charset=utf-8,&lt;html&gt;&lt;head&gt;&lt;meta http-equiv=&quot;Refresh&quot; content=&quot;1; URL=http://TRACKING_URL/&quot;&gt;&lt;/head&gt;&lt;body&gt;&lt;/body&gt;&lt;/html&gt;">
</iframe>

How does this info help me to determine if there is an issue & if there is how do i fix it.
 
Last edited by a moderator:

SCRYPTmail

Email Service Provider
it's mostly technical data useful for developers, in your case pop up means, that your email client tried to execute javascript that was supplied instead of image. (this is very bad)
 

compleo

Valued Member
it's mostly technical data useful for developers, in your case pop up means, that your email client tried to execute javascript that was supplied instead of image. (this is very bad)

Is the pop up issue anything i can fix or is up to the e mail service provider.
 

compleo

Valued Member
I tested scrypt with the tester,i didn't get that pop up warning regarding the java script warning.Also there are less red ovals to click on,does less mean better.
 

grepular

Email Privacy Tester
Hi. I'm the author of emailprivacytester.com (can provide proof if needed). A guy who I think runs this forum sent me an email to ask if I'd like to comment here. Firstly, I recognise that the user interface is a bit clunky and difficult to understand for the lay person, but it's really intended for people who either run mail systems, build mail clients or have a deepish understanding of the way emails are constructed. The about page describes how it works - About | Email Privacy Tester - Essentailly every time one of the ovals turns red, it means that your email client has connected back to my website, which is potentially bad. It means that something in the email allowed me to determine that the email had been opened, when it had been opened, and the IP address of the person opening it. More red, means there are more ways of getting this info.

The thing it tests is the email client. So if you enter a gmail.com address, it's not testing the "Gmail service", it's testing the thing that you use to open the email. So it's either testing the gmail web interface, or whatever Android/iOS email client you're using, or Thunderbird or Outlook or whatever.
 

grepular

Email Privacy Tester
Also, what email client were you using when you saw that popup? It's extremely bad. My tester sends a simple bit of JavaScript which just pops up a message. If I was malicious, I could send a different piece of JavaScript which allowed me to completely take over your email account instead.
 

compleo

Valued Member
Welcome to EQ greular.

The thing it tests is the email client. So if you enter a gmail.com address, it's not testing the "Gmail service", it's testing the thing that you use to open the email. So it's either testing the gmail web interface, or whatever Android/iOS email client you're using, or Thunderbird or Outlook or whatever.

The thing it tests is the email client

Isn't gmail the e mail client?

So if you enter a gmail.com address, it's not testing the "Gmail service", it's testing the thing that you use to open the email

What do you mean the thing i open the e mail,i thought the browser opened it?

So it's either testing the gmail web interface, or whatever Android/iOS email client you're using, or Thunderbird or Outlook or whatever.

Whats the difference between gmail service & gmail web interface?

Also, what email client were you using when you saw that popup? It's extremely bad. My tester sends a simple bit of JavaScript which just pops up a message. If I was malicious, I could send a different piece of JavaScript which allowed me to completely take over your email account instead.

The test was for safe mail>in post# 3>click on the spoiler button to view the whole message.
 

grepular

Email Privacy Tester
"GMail" is an email service. It comes with a web interface which you can optionally use to access your email. You could also install Microsoft Outlook or one of dozens of other email clients, and connect them to your GMail account. At that point, you're no longer using the GMail web interface to view your GMail email, you're now using Outlook to view your GMail email, even though that email is still hosted by GMail.

Re "Safe Mail". How did you make that popup happen? I just signed up for a test account and tested it with emailprivacytester.com and Firefox, and saw no such popup when viewing an email. What did you click on immediately before your saw the popup? Also, what web browser and version are you using?

[EDIT] Discovered it. It's when you click "Show HTML". Yes, this is about as bad as security bugs in webmail clients get. I'll send them an email to let them know it needs fixing.

[EDIT] I've changed my mind about reporting it. They don't even make the most basic attempt to block javascript. These bugs usually occur because of some weird edge case that providers didn't catch, but in this case, it is not a weird edge case. They simply haven't attempted to block it. This is the least secure email service I have ever seen.
 

compleo

Valued Member
"GMail" is an email service. It comes with a web interface which you can optionally use to access your email. You could also install Microsoft Outlook or one of dozens of other email clients, and connect them to your GMail account. At that point, you're no longer using the GMail web interface to view your GMail email, you're now using Outlook to view your GMail email, even though that email is still hosted by GMail.

Re "Safe Mail". How did you make that popup happen? I just signed up for a test account and tested it with emailprivacytester.com and Firefox, and saw no such popup when viewing an email. What did you click on immediately before your saw the popup? Also, what web browser and version are you using?

[EDIT] Discovered it. It's when you click "Show HTML". Yes, this is about as bad as security bugs in webmail clients get. I'll send them an email to let them know it needs fixing.

I didn't click anything,the second i opened safe mail the pop up showed up.

I use the best,most secure web browser there is.It spoofs web sites,the user has the option to select FF,chrome etc....> white hat aviator
 

grepular

Email Privacy Tester
White Hat Aviator sounds interesting. I might have to give it a look. I would really recommend against using safe-mail.net. I had a look at scryptmail earlier and it looks pretty good. I did find one security flaw (XSS) in scryptmail, but they fixed it very quickly after I reported it. I didn't give it a full security audit though, just a quick once over.
 

compleo

Valued Member
White Hat Aviator sounds interesting. I might have to give it a look. I would really recommend against using safe-mail.net. I had a look at scryptmail earlier and it looks pretty good. I did find one security flaw (XSS) in scryptmail, but they fixed it very quickly after I reported it. I didn't give it a full security audit though, just a quick once over.

RE: e mail client(s),i don't have anything installed.I have scrypt,proton,tutaonta & safe mail & i don't install anything to them.I just leave them as they are,not big on bells & whistles."Essentailly every time one of the ovals turns red, it means that your email client has connected back to my website".Some of the ovals were red but i don't have an e mail client?

White hat aviator is an excellent browser.A heads up,when installed it automatically makes it the default browser.

On top right is what looks like the lone ranger mask & 3 horizontal lines.The 3 lines is for the many options.,including settings.1 of the great options is the selection of which search engine,i use DDG(disconnect).In addition to many great features & security,it doesn't track IP or search history.I avoid any word that starts with G

Click mask>drop down menu>options to select FF,chrome IE etc.This spoofs the web site into thinking that you are using that browser.
 

grepular

Email Privacy Tester
"Some of the ovals were red but i don't have an e mail client?" - By "email client", when you're using webmail, I mean "web browser".
 
Top