All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: photography and

Thank you for buying via links and ads on this site,
which earn me advertising fees or commissions.
As an Amazon Associate I earn from qualifying purchases.

Other World Computing...
B&H Photo...
As an Amazon Associate I earn from qualifying purchases.
Capacities up to 56TB and speeds up to 1527MB/s
Today’s Deal Zone Items... Handpicked deals...
$7999 $7249
SAVE $750

$2799 $2599
SAVE $200

$250 $225
SAVE $25

$399 $269
SAVE $130

$1199 $1099
SAVE $100

$799 $599
SAVE $200

$999 $949
SAVE $50

$1099 $999
SAVE $100

$1999 $1499
SAVE $500

$1349 $1149
SAVE $200

$1099 $1029
SAVE $70

$2799 $2549
SAVE $250

$449 $389
SAVE $60

$400 $310
SAVE $90

$1699 $999
SAVE $700

Spotlight Builds in a Feature Spammers Could Only Dream About

How would you like it if every spam email you received reports your IP address back to the spammer who sent it? Even if you never see the email, never open it, never view it?

That’s apparently what Apple’s Spotlight does at present. More Apple Core Rot, but this time with a security/privacy twist. Macworld Magazine reports:

OS X Spotlight Search glitch can expose private details of Apple Mail users

At the moment, the only way to work around the issue seems to be to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown.

This is just plain sloppy engineering by Apple. With a fixed release schedule, not a little manure has to get shoveled out along with the hay. Where is the security review team in all this (is there one?).

The workaround is a disaster: MPG uses search within mail many times a day and receives dozens of emails from spammers a day. So either no search, or let the spammers have a field day/week/month until Apple gets it sh*t together.

Update: Possible Work-Around for Spotlight Privacy/Security bug of Indexing Spam Email.

Update 2: the scope of the issue may well be less than MPG originally understood. MPG understood the issue as happening with indexing, but it might actually be restricted to when searching (by the user) actually occurs and previews are shown. If so , the scope of the issue is much reduced, and we can all breath a lot easier. Still, the bug should be fixed, because searching by its nature pulls in just about everything. So the workaround above still has some value in sidestepping the issue.


Virtually all users have Spotlight indexing their mail. And because junk mail has things like tiny hidden images (you can’t see ’em), when loaded, every spam receive reports the computer’s IP address back to the spammer, telling the spammer you are a “live one”. Spammers might think they’ve died and gone to spammer heaven in terms of culling email lists for known-good emails.

But it’s not just spammers: consider for example that any forwarded or replied-to email would let the orginal sender know just what IP addresses it landed at, even if never opened or viewed (because of Spotlight loading images while indexing). That’s nasty. For security in government and corporations, this gets interesting. There may be other unforseen implications as well. In MPG’s view, this bug ought to be a top priority fix, or Apple is in effect an accessory to unsavory actors.

The serious bugs, and degraded usability in the past few OS releases are seeing a rising tide of criticism, but MPG posted Apple Core Rot a year ago, after watching it rot develop for 2-3 years prior. MPG’s view is that good judgment is in very short supply at Apple these days. This is not a bug out of the blue; a good software engineering team needs a core set of experienced engineers skilled in security and privacy issues. Someone had to write that code to load those images in emails. This and many other recent issues show slipshod software development practices extant today at Apple.

Tim Cook has emphasized how much Apple values your privacy, but can he be taken seriously when this kind of sloppy engineering is happening on his watch? Big flashy statements are easy to make. But engineering an operating system to deliver on promises requires sober thought and experienced judgment.

See also:

Save the tax, we pay you back, instantly!
View all handpicked deals...

Apple 16" MacBook Pro (Late 2019, Silver)
$2799 $2599
SAVE $200 | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__