➡ The popular email client Thunderbird, previously available for Windows, Mac OS, and Linux, has now launched a mobile version for Android. This new version, based on the mobile app K9, offers a seamless email experience across desktop and mobile platforms. The creator of Thunderbird demonstrates how it protects users from cyber attacks, specifically a beacon attack, which can reveal a user’s location and other information just by opening an email. Thunderbird’s open-source nature and built-in privacy features make it a safer choice compared to other email clients like Outlook or Apple Mail.
➡ Emails can track you through a method called ‘beacons’. When you preview an email, it can log your activity, even if you don’t open or click it. This can reveal your email address, IP address, device used, city, and time zone. Email clients like Thunderbird and Braxmail Webmail are safer as they don’t display external images by default, reducing the risk of tracking. However, always be cautious and only display HTML or external content from trusted sources.
➡ Be cautious with emails, especially those from unknown senders, as they can contain harmful links and reveal personal information like your IP address. Using a VPN can help protect your privacy, but some email services, like Braxmail, are designed to keep your information safe without one. This channel offers products like Braxmail, Brax Virtual phone, and Bytes VPN to help maintain your privacy. The latest product, Brax3 Privacy Fund, is a community project that has received positive feedback and is now available for purchase.

As many old timers to my channel knows, I’ve always pushed people to use Thunderbird for email. Thunderbird in the past has been available for Windows, Mac OS and Linux, but there’s never been direct support for Thunderbird on mobile. The hint that this was changing happened two years ago when I announced in a video that Thunderbird bought The mobile app K9. K9 is an Android email app which I also recommended as an alternative for mobile. This year 2025, Thunderbird for mobile was just released and now those on Android can directly run Thunderbird. So now we have a seamless platform for email that we can use both on desktop and mobile.

This is based on K9, of course, but the features of Thunderbird are fully incorporated like support for the latest OAuth. This was important for those that use Gmail and just the general UI looks more like Thunderbird on desktop. Plus there’s integration between desktop and mobile like you can transfer accounts. This is great news, so go use it for your email on Android. While I want to announce the new version of Thunderbird to all, it’s time to actually reiterate why I kept telling people to use Thunderbird in the first place. The best way to do this is by demonstration.

I will perform an actual attack where I use email to find out where you are and I’ve written a program to do this test. But what you will see is that this attack doesn’t work too well when using an email client like Thunderbird. This is why I recommend it over common email clients like Outlook or Apple Mail. This is something that Mr. Robot actually used to find his FBI stalker in in the show of the same name and I will demonstrate to you exactly how it is done. In this process you will learn a little bit about Thunderbird, but also about email and how to prevent a precursor threat called a beacon attack.

It will also teach you about the common dangers of email which can cause you to be hacked. Stay right there. The reason I’ve been pushing Thunderbird as an email client for years is that Thunderbird first of all is open source, so no secret tracking should be built in. But because it was developed with privacy interests in mind, they have put in features by default that will protect a normal user who doesn’t necessarily do anything to configure their apps for safety. One of the main attacks used is first to identify you just from your email address. This is often a precursor to even more sophisticated spear phishing attacks.

And given tools like those demonstrated by Fog Data Science, which I showed in another video, your Entire life pattern can be laid bare. Attackers can find you from your anonymous email identity and they can do this even if you don’t respond to the email. This started to be a common problem when email marketing became a big thing. Many retailers now realize that a big chunk of their online sales come from email, so email tracking became a big deal. First, the email marketers harvest your email based on sold email lists, often by the same retailers or even apps that use email for logins.

Then they flood you with emails and then they can automatically see if an email is live, meaning if someone is monitoring it and from that they can get your rough location initially. Then anytime you actually open the email message, you send a signal to the sender with a timestamp so they even know you’re active. Now this by the way is known as a no click attack. You do not have to touch your email to initiate a signal to the sender. And that’s why it’s even more devious. The scary element here is that there’s actually no obvious trace that this is being done.

The email itself will not show that any specific programming is evident. In fact there is no obvious clue and an innocuous email could be safe or not safe. This will be quite an educational video because you will learn as well why email is dangerous via a demonstration. This will show why this actually does the source of likely 90% of cyber attacks against regular folks. Beyond the demonstration, I will discuss some strategies to manage your email so you can have a safer experience. And yes, you already know how to use Thunderbird to mitigate some risk, but I’ll teach you more later.

To start this demonstration, I have set up a new email service in Braxmail which will be xonexmail.net this is a service we provide on our Braxme site. What I will do is set up this email account on three email clients and these are Thunderbird Mobile, Microsoft Outlook on Windows and Webmail. The webmail is provided by the braxmail service. This will allow us to compare the three methods here and see what makes some email clients safe and some dangerous. So let me just show you how I set up these three email apps and as you can see, setting up an email account on all three is equally easy.

No big deal. Actually on webmail it’s even easier as there’s no setup required. You just log in with your credentials that you specified and you in. Now I wrote a program to perform this test and it is on braxme Geo, beacontest, php. I’m going to go through all this in detail, you can go to the website and see this for yourself if you want to. The specific threat is called a beacon attack. So this program is a beacon attack. Test what it shows at the top. Here is a simple HTML script. In this case, the image tag is used to display an image.

This is so common in all emails and it is even part of the signature of many people that you will not detect anything unusual at all. However, here’s the secret sauce. The image itself can be invisible. It could be a transparent image, it could be a one pixel image, or it could be a real benign looking image like a logo. The trick isn’t in the image, but the hidden payload. For the geeks out there, we will actually show the source in the browser using the inspect option. Then we can watch what happens in detail. To see what happens in an email, I’m going to tap on the email icon and then we’ll see what happens.

This simulates the opening of an email to read it or to preview it. What you see here is what you would see in the email. As it says there is an image in this email, but you cannot see it. And at this point it is also recording your IP address and more. But as I show you in the HTML script here on the right, there’s actually an image here and it is called foundyou.png. not only can it log your IP address, but it knows your device, your immediate approximate location and and can even tell your time zone.

This is only precursor information. Much more can be derived from this later. Now let me click on the back arrow. We will repeat this three times and I want you to look below and you will see that each time we open email, a log entry is created. By the way the way this works, I’m not interacting with the email other than reading it or previewing it. You can see that after three opens of the email, there are now three log entries. And each time you encounter this kind of email you will be logged. Let’s delete the log entries from now and we’ll try a more advanced test.

So now our log is empty again. What we will do this time is to send real messages to our test email account, which is xonexmail.net we will then see what happens to these messages depending on the email client. And as you recall, we installed it on Thunderbird, Outlook and Webmail. Just so we have a clear separation of behavior between each email client, I will actually use the alias feature of braxmail. So we send a different alias each time we use this and the advantage of using an alias is that we can identify the source of the rogue email and then on Braxmail it is actually possible to block an alias which simulates an email account being closed.

The idea is that if you give a particular retailer a specific email address with an alias, for example, if the email address is used for some other purpose, then you know that the retailer sold your email address and then you can block that retailer without affecting your other mail. First we will send an email which we will open on Outlook and just to be specific here I will use the alias x1outlooksmail.net at this point if we click on refresh log, nothing yet appears. So the explanation here is that until someone receives the email, there should be no log record.

Now I will go to Windows and then run Outlook. Here’s the email we just sent and I will do nothing more than do a preview of the email. By the way, how this works varies by email clients, depending on the version of Outlook, Apple Mail, and so on. Some clients will auto load immediately upon receipt by your device, so it is not necessary to even preview in older versions of Outlook Express. Like for some of you thinking you’re safe with Windows 7, it even executes JavaScript, so it could do more tracking and even leave cookies. But at least this version of Outlook is a bit more improved since it doesn’t load the email in the background.

However, even a preview is pretty bad. Now let’s go back to our beacon test and you will see that it actually logged the preview of the email. Let’s repeat the process and act like we’re previewing our email multiple times. So I’m just scanning through email and you will see that each time the email is previewed, even if it is not opened or clicked, it will make a record in our log as a separate point in this test, notice that I made the image file name obvious by actually renaming it to the email address of the recipient.

In a live attack, the file name may use a meaningless identifier which will later reveal the original recipient. This is a further example of how the email preview can identify the recipient. Now let me erase the email message and clear the log again so we have a fresh start. Next we will do the same test on Thunderbird. So we will send an email to x1thunderbirdaxmail.net we can verify with the refresh of the log that no entries appear in the database so far. Now let’s go to Thunderbird and let’s preview the email message. As you can see here Thunderbird gives an actual warning about showing remote images, which I will not click on.

By the way. On desktop the Thunderbird message will say blocked remote content. So that’s the same thing. And if we go back to beacontest, you will see that even after a preview there is no log entry. But if I choose to show remote images, then it will actually trigger the log entry. So you can see that here. And each time I come back through this email message and click on show remote images, it will log it. This is the advantage in Thunderbird. If you know the email safe, then that is the only time you should allow a HTML or external content to ever be displayed in an email message.

However, from here on and until you delete email, every preview of this email could possibly create a log entry. So that’s why you should show remote content or HTML only with a trusted party. Now I will repeat the same test, but using Webmail of Braxmail. Here we go. We will send an email message to x1webmailaxmail.net then we will log into the webmail and see the prior emails. And you will see the same thing on Racksmail Webmail here that you see on Thunderbird, which is that it doesn’t display external images by default. So just like Thunderbird, there is nothing in the log.

But again, like Thunderbird, if we show external images, then it gets logged. However, as you can see, you have to manually select it each time. And just to be clear on what is actually in the message, once again I will use the webmails option called Show Source and we can show you the actual content of the email message. And here you will see the actual HTML and once again the innocuous image that is commonly found in most emails. So let’s do a detailed explanation of what’s going on here. The main culprit here is HTML. In modern email, HTML is considered a standard way of showing presentable content.

But the big companies like Apple and Microsoft are complicit here because they understand very well what the dangers are of allowing email with HTML is particularly when external content is being loaded. Depending on the version of email client, some will even load the content ahead of time. And they do this to cache the content to make it seem like your email is very fast. And like I said earlier, you cannot actually tell from these examples that the email itself contains a tracker or the official word is beacon. But what I will tell you now is how this can just be a precursor.

So let’s say I’m hunting down targets for a phishing Scam. I can actually do a mass mailing of thousands upon thousands of innocuous email messages with these beacons. And then I can track which ones are live. By live I mean which ones were previewed by the recipient. This narrows down my target list. Obviously someone who looks at the email message multiple times is an indication that the user got hooked by the message. This is what marketers want to see. And as I demonstrated here, I can actually find out who previewed it because the image name itself identifies the the recipient.

Next, I now have access to the IP address. As I’ve shown you here, I not only capture the IP address, but can see the device used, the city, the time zone, and that’s without any clicks. And it would even be more interesting in a live case because some people are opening their non privacy respecting email clients constantly. And then it will also likely indicate multiple IP addresses and that would show the recipient moving or using different devices depending on the purpose of the targeting. One could then initiate an attack when the user clicks on the link in the email, which hopefully you convince them to do.

This is actually something that can be tested over and over. Some messages are likely to be opened by certain people. YouTube creators will often get sponsorship emails. I get a ton of these. Since I don’t really take sponsors, I can ignore these. But a sponsorship email is an example of a spear phishing attack. A spear phishing attack is a targeted attack that is based on actual knowledge of the target and not just a mass attack. In my case, an attack on my known channel is easy. They find the published email on the YouTube channel and then send an email message that could contain a beacon.

Then depending on how exciting the message is, I could end up in theory clicking on the message and going to some website. But if I’m not careful, even if I think I’m going to a real website, I might actually be looking at a fake screen that just captures my credentials. And then a possible outcome is that the credential is Google related and someone then hacks into my YouTube channel for you. The outcome may be that someone gets access to your bank account. Let me just teach you some advanced details here. Today there’s almost zero privacy. If someone has access to your real name, someone can find public records of you from recent hacks.

In fact, a recent one was just announced that shows that even Google Email and two factor authentication phone numbers and your real name has been accessed. So the spear phishing attacks will look more and more authentic because they actually know who you are. Some of you will actually question the value of capturing a device signature, city, time zone and IP address and think this is not anything important. But as I’ve shown in other videos like the one I did on Fog Data Science and Anomaly 6, there are actually other databases that can be correlated with things like an IP address to get locations and even location history.

There are databases called Reverse IP lookup tables and some of us have access to these. What these are are data extract from apps that record your IP address and location and then sell that data to location aggregators. If you have any doubt about this, go watch my video on Fog Data Science and Anomaly 6 and you will see this data used heavily by law enforcement. And by the way it is definitely available to any third party willing to pay and it is not expensive. Because the location data come from WI fi triangulation. The associated location information is often accurate to within six feet so it is very precise.

And if you have access to even more location data like a Fog Data Science, it is possible to then expand this to find not just your home location but everything else you do all day. So IP addresses can be used to spot individuals and then hone their locations. Those who do not take privacy precautions likely appear in these Reverse IP lookup databases. The more an attacker knows about you and your interests, Just like the parties that send me a constant stream of sponsorship inquiries, the better the chance that I would click on their email. And if I’m not using Thunderbird or Braxmail webmail, then it is likely that they would know immediately that I opened the message and was interested, in which case they can tweak the message and resend a similar one.

And bad guys will keep doing this until they notice I look at the email message more often. Currently with two separate techniques, I don’t appear to be receiving these emails. First, because I use Thunderbird, they do not get a beacon that I even reacted to their email messages. Second, because of aliases, I know what email addresses are used for what purpose, and an email coming from a published email address on YouTube is the most suspicious of all. So I know when to raise my guard. And third, and this is very important, unless you know specifically who sent an email, meaning you initiated it like a password recovery, then you should never ever click on links on email or open attachments.

No matter how exciting the message is. If it looks too good to be true, then it is suspect. There’s another aspect to understand here. If you ever replied to email, the email header contains a lot of direct information about you, including your IP address and sometimes the computer name. This is one of the most unsafe features of email, which is why I would never use an unsafe email service like Gmail for example, on my devices without a vpn. So a VPN becomes a requirement when using email and typical email services. But there’s an exception to this.

An email service like braxmail strips out identifying information on the header so that nothing in the email will reveal anything about you even if you didn’t use a vpn. So that’s the neat thing. Braxmail is made to be safe from moment one. The correct choice of email product plus the choices of email client and an awareness of the threat will mitigate the chances of getting hacked via email. So there we go. A lot of information has been passed to you here. It’s been very long since I passed this information about beacon attacks and hopefully this will go a long way to protecting your privacy as well as protect you from hacks.

Folks, this channel is supported solely by this community and we get this support not by getting sponsors, but by creating good products with excellent service that help you in your quest for privacy. The braxmill product, for example, was honed from years of customer feedback and is one of the most popular products in our store. It features unlimited aliases, privacy features, encryption at rest, and many private domains. A lot of value. We also have the Brax Virtual phone which allows you to create identity free phone numbers which can protect you from spying apps and people you don’t know.

We also have the Bytes VPN service which is a necessary tool especially when using email. As discussed in this video. All these products are available on our store on Brax May. The newest product we offer, by the way, is the Brax3 Privacy Fund, which is a community project involving several companies and has so far had such an amazing reception. This phone is available on braxtech.net and just started shipping. Thank you for those who support us on patreon locals and YouTube memberships. I truly appreciate it. See you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.