> - It leaks the IP address of my mail client simply by reading an
IIRC that was the motivation for me trying it; how many distinct IP
addresses hit the URL. Related to your point, I could know the
recipient viewed the email three times a couple of days ago, once from
somewhere he denies going, the rake, yet still hasn't replied.
> - Curl's user agent contains a version number (could allow OS
> identification, or targeting of vulnerable curl versions).
curl(1) has `-A' to set the user agent. Perhaps mhn-defaults should
plonk nmh in there with an escape for a version? Your point still
curl also offers cookie jars though I don't know if they're used by
default with mhn.default's simple invocation, but perhaps the `.curlrc'
loaded by default as we don't give `-q' might. This means the URL can
benefit from their values.
> - Fetching http content is subject to man-in-the-middle attacks.
Third-party services like httpbin.org offer URLs that delay before
serving, slowing down mail viewing.
Small emails that get under fetchmail's `-l' limit may still cause high
usage of network budget.
> - It can be used to poke intranets (http://192.168.x.y/admin.php?...)
Yes, though any output would be seen. GETing Internet URLs may also
have a side effect. `Vote for me!'.
This telnet-schema URL doesn't work because curl's stdin isn't
/dev/null, but the TTY. And the dict-schema one can't use `DEFINE
jargon recursion' as the path because nmh strips whitespace from `url',
the comment referring to RFC 2017.
curl(1) supports quite a few other schemas, though libcurl is compiled
without some of them here. SFTP supports lots of file manipulation
commands, but again the whitespace removal is a hindrance.