Some people may have noticed that some spammers manage to send images in their email. What the? …so what if you have not set permission for auto download of pictures? How does that work?
On closer inspection (if you have time to look) you may notice the email source code will reference an image without an http url.
<IMG alt=”” hspace=0 src=”cid:[email protected]” align=baseline border=0>
What is this?
“cid” is the content-id within Outlook. Outlook stores HTML mail in MHTML format which allows it to work with MIME (Multipurpose Internet Mail Extensions). So what is actually happening is the image is being embedded and then referenced through the MHTML without the need for downloading anything externally.
Points of interest of the top of my head:
1. You can’t spam filter an image. An image can be text (as above) or images. Watch out. Phishing possibilities ahoy.
2. CID will probably go unnoticed through many mail servers except for high grade clients who set rules to filter CID tags. Here the CID tag will usually get turned into an attachment helping you spot an intruding image.
3. CID is a good way to have your company logo embedded so that users don’t have to click “download images” when you send referencing an absolute URL. However if many of your clients are protected (previous point) then your logo will appear to them as an attachment each time and appear quite annoying to them when they go looking for that mail you sent them that DID have an attachment.
4. CID seems to work fine with browser clients (I tried gmail which worked fine and did not strip as an attachment either).
How do I create a CID image embedded in my email?
The easiest way we found is to copy and paste directly into Outlook from the clipboard. Yes it’s that simple.