# DNS Pre-fetch Exposure on Thunderbird and Webmail

When you view an email in [Mozilla Thunderbird](https://getthunderbird.com/), it
looks at each of the URLs in the body, and does a DNS lookup on each of the
domains. It does this so the page loads faster if you click on the link. It
doesn't just happen on HTML emails, it also happens for plain text emails.
Viewing the body in "Plain Text" mode rather than the "Original HTML" or "Simple
HTML" modes doesn't prevent it either. This also happens when using webmail
clients like GMail and Hotmail and I will discuss that further down the article.

Email clients tend to have a configuration option to prevent remote images from
being loaded, and on sane clients this is set by default. If a remote image is
fetched to be displayed inside an email, the sender can determine that the email
has been read, when it was read, and the IP address it was read from. Even if
remote images are disabled in Thunderbird, the DNS prefetching **still** takes
place.

A spammer with the domain "example.com," could send out a mail-shot to all of
their addresses, with each email containing a URL with a unique domain. Eg:

```text
http://emailaddressX.mailshotY.example.com/
```

They could configure the DNS server on example.com to log all DNS queries. This
is simple to do using the [Bind DNS server](https://www.isc.org/software/bind):

```text
logging {
    channel query_logging {
        file "/var/log/bind/query" versions 3 size 100M;
        print-time yes;
    };
    category queries {
        query_logging;
    };
};
```

They would then write a simple script for tailing the log file at
/var/log/bind/query looking for DNS lookups containing "mailshotY.example.com".

I tested this on the very latest version of Thunderbird (3.0.1), on both OSX
(Snow Leopard) and Windows XP; both were affected. I also tested on Apple Mail
and Outlook 2007, neither of which were affected. I didn't bother testing Mutt
or Pine.

This issue seems to have been
[discussed](https://bugzilla.mozilla.org/show_bug.cgi?id=492196) back in May,
but they don't seem to have done anything about it.

Worryingly, this issue also affects viewing email in webmail clients. I tested
it using hotmail and gmail and both did DNS prefetching on the URLs in the email
body. Using HTTPS rather than HTTP disables DNS prefetching. Luckily for GMail
users, they recently made all requests HTTPS by default. This would be easily
fixed in webmail clients by using X-DNS-Prefetch-Control. In the HTML just
before the email is displayed, you would put the following tag to disable
prefetching:

```html
<meta http-equiv="x-dns-prefetch-control" content="off">
```

In the HTML immediately after the email you would turn DNS prefetching back on
with:

```html
<meta http-equiv="x-dns-prefetch-control" content="on">
```

**Update:**

Patches for the Webmail clients [IMP](https://www.horde.org/apps/imp/)
([ref](http://bugs.horde.org/ticket/8836)) and
[RoundCube](https://www.roundcube.net/)
([ref](http://trac.roundcube.net/ticket/1486449)) have been produced. If you're
serving Webmail with Apache, you can patch this problem in the web server it's
self by adding some mod_headers config like this:

```text
Header set X-DNS-Prefetch-Control "off"
```

If you're using Thunderbird, you can fix the problem locally by going into the
advanced config editor and adding a preference named
"network.dns.disablePrefetch" with a boolean value of "true"