Little Snitch catching Mail connecting to spam servers after 13.x -> 14.5

[jlehet]

So, just finally moved from Ventura to Sonoma 14.5. Didn't change any settings in Mail or Little Snitch. Now Little Snitch is catching an outbound connection from every spam and mailing list email I touch, or even as they arrive and I don't touch anything. In Ventura, Little Snitch wasn't flagging them.

Little Snitch tells me not to block them or it can break mail, but they are obviously from EMS or GlobalIndustries or whatever is trying to track me at that minute.

I've got mail set to Hide IP Address and Block All Remote Content, as I did in Ventura. Images indeed are blocked, but some other tracker is connecting.

Since the senders are tracking connections, they know it's me -- they sent me this email, probably a unique code in the connection.

I didn't get these warnings on Ventura. It seems either Mail is now worse at actually blocking all remote content -- or I suppose it's possible Little Snitch has a better idea what mail is doing now in Sonoma, but I don't think that's it. I think mail is now letting every email phone home even if I'm not even opening them, if they go to junk or spam.

I mean, I guess there's nothing to do about this, but bloody hell. Either accept that all privacy is completely dead, or keep swatting these flies away all day.

 

[Bigwaff]

Version of Little Snitch? There was an update pushed today.

 

[jlehet]

Yep, did the update, no difference. Mail is really trying to make those connections. Maybe I should restart it or something.

 

[ipaqrat]

Maybe check for <racking brain> that feature that tries to anonymize you by downloading all web stuff in all messages every time, like, trying to lose you in a crowd...

FOUND IT... Mail > Settings > Privacy > Protect Mail Activity. Was this a new feature since Ventura (Can't remember when it was introduced) set on by default?

Maybe I'm too simple minded, but this seems like a stupid idea. HTF, precisely, would this action protect anything? No, sir, I don't like it. I leave mine set to the old Hide IP Address and Block ALL Remote Content. I'd prefer all eMail get set to plain text and quarantine attachments before I even download it to the in box. Plus, I'm on metered service out in horse country.

 

[jlehet]

It does not seem that "Protect Mail Activity" would help much at all, for any marketer of average or above capability. The pixels and tracking links and whatever are all custom tailored to the recipient. I don't believe they care as much what my IP is as that *I* got their email, and apparently opened it.

Too soon to say, but this might have resolved. I didn't get a single Mail attempts to connect to junk marketer event upon waking this morning. We'll see.

 

[ipaqrat]

Agreed, the Protect Mail Activity is prolly OBE for marketing response purposes. All it might prove these days, is whether an aggregator's messaging mill generates adequate subject lines.

But there actually IS a subset of hackery-pokery, where the process starts with simply identifying a "live" address, which kicks off target profiling.

Ad aggregators simply rent off-hours/on-demand compute time in some cloud, allow the machine to fire at best-effort demographics, and then scrape a few pennies per hour. They won't monitor the actual content slipstreamed into open spots in any particular HTML assembly.

Malicious actors pwn the content databases, paying off contract security personnel to suppress alerts, to allow insertion of obfuscated content designed to identify lucrative targets. Same goes for pwning the destination servers of seemingly ordinary companies (also rented compute mills).

This starts the exploit chain - which must be countered by a kill chain (security interdiction at each step). Even though Apple describes proxies that divorce your IP from the content, but since the web content will still be rendered, there's potential for transmitting intel mined through javascript. Apple Mail isn't exactly sandboxed.

I guess Protect Mail Activity might sorta help re-anonymize you - in narrow, palms-up advertracking scenarios. But it's hardly a security hardening feature.

It's still better to not download any remote content. None. Ever. Unless it's Taylor Swift emailing "I love you." Then, I'm definitely getting punk'd.

 

[jlehet]

I said I thought it might have resolved itself -- nope. Either this is a bug in Sonoma mail, or I need to nuke my preferences to the ground and start over with Mail.