pitter i think that's a feature which should be on server, not on a client side.
EspoCRM is only a client. We're using microsoft exchange in out company and we can enable such protection on their side.

thx emillod for your notes, i think, the EMail Client decides if the html content or plan text content is to show. After switching the sender to "trusted" the client may show the html content. its a client part i think so,
i'm curios: how do you safe your espocrm clients with exchange ?

Email server scans all emails and they only passing emails which meet our safety requirements. If you would apply protection on client side, it would only protect you in EspoCRM, but you can also have emails downloaded on your mobile phone. That's why it's important to use protection on server side. Thanks to this all email clients are protected.

pitter,

I hope email filters on the EspoCRM side can partially solve your problem https://www.espocrm.com/tips/email-filters/.
However, emillod is correct that basic security should be installed on the server's side.

I believe that not loading remote content unless 'trusted' is more of a privacy concern issue rather than the security one.

Could you provide some examples how it's implemented in other systems?

I also think that such a feature may require quite an effort to implement.

victor the most user trap for dowload ransomware or other problems are clicking at links on really orignal fake-emails. They are from kidnapped user computer and send with original addresses, no spam filter even on server side noticed them. So the user get a EMail what sounds like it is waiting for, the detail view open it in html and:
1. external pictures are loaded, the sender is noticed about opening the email - first problem !
2. the user is able to open external links and attachments without any security question - very easy to click the wrong link !

Imaging: usually the user communicate with known contacts - all emails are shown in html and every think is fine. But emails from UNKNOW senders are at first time just to open in plain text even no attachments are possible to open. The user have to assign the email to any contact and in future the emails from them are save and can open in html. Just one click for security ! User have to use their brain before opening a wrong attachment.

possible its an effort to implement, im not aphp developer. Maybe at first show email content per default as plain text, no external content loading (like thunderbird). If its possible to check on opening email if sender is registrated on an contact you can decide if plain text or html is the right way. One extra button over the email text: "trust" and die sender goes to a white list for future.
I know that feature from amtangee - and its very helpfull.

pitter
our exchange server marks email with contacts which are contacting us for the first time and this is passed to note under specific ticket. Images pasted inline are removed and visible only if we open full view of the email. But still, whole protection should be done on server side. Unfortunately, most of them doesn't have even viruses scanning program.
​

Hi emillod, thx for the explanation, never to late to learn. But not all customer are able to hold en exchange server, most of my customers using po3/imap. So it would be helpfull.
But this is an other discussion.

victor doing with filters are a good idea - maybe its possible to extend filters ? for eample with an criterium like "HasContact" ...?