Apparently Google does not always fetch the images.

But even if they did, this is still more information leakage than the old default (don't load images).

Spammers who email via botnets and the like, with false return addresses, doesn't get bouncebacks to clean their lists.

But if you (or Google, on your behalf) give them a hand by reliably loading their tracking image, that flags your email as a valid one.

If you weren't actually reading the email, that's still a false positive I don't think you'd benefit by giving.

An alternative could be to let the user decide if Gmail should prefetch images from a sender or not.

Email from familiar senders would have images prefetched (thus avoiding leaks of user data).

And DDOSing concerns would be reduced because those emails would not be from a familiar source.

There is no advantage of prefetching images from familiar senders. It's not about faster image loading.

The ideal thing would be to just prefetch all the images sent to existing and non existing accounts. This way there is absolutely no way for a spammer to tell whether an email is existing or not.

> There is no advantage of prefetching images from familiar senders.

The advantages I had in mind were:

1. No leak of user IP address, cookies, etc

2. No leak of timing information (when user opened the email).

It will however leak that the email address is valid, which might be a fine compromise with a selected subset of senders.

Sorry, I wasn't precise. I was responding to the suggestion to only proxy for familiar senders. But, assuming that you can correctly identify who is familiar and who's not (there is scam detection as well), the benefit is minimal.

There is bigger benefit of doing this proxy for non-familiar emails.

Google could prevent leaking if email address is valid by simply prefetching images even when email is sent on non existent accounts.