Please be aware that we don't log email content (and we are also not vulnerable to Log4j). Our anti-spam systems do check for malicious links from third party email services so we can proactively warn users about phishing attempts.
They have already being known to log emails when enforced by the Swiss authorities:<p><a href="https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/" rel="nofollow">https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...</a><p><a href="https://protonmail.com/blog/transparency-report/" rel="nofollow">https://protonmail.com/blog/transparency-report/</a><p>——<p>In case you trust Swiss companies blindly:<p><a href="https://en.wikipedia.org/wiki/Crypto_AG" rel="nofollow">https://en.wikipedia.org/wiki/Crypto_AG</a><p><a href="https://www.thebureauinvestigates.com/stories/2021-12-06/swiss-tech-company-boss-accused-of-selling-mobile-network-access-for-spying" rel="nofollow">https://www.thebureauinvestigates.com/stories/2021-12-06/swi...</a>
I'm not sure they are a Java company, they are more Python, PHP, Golang, and Node. At least Java is not described in their job offers, which are usually a very nice way to know about the company stacks by the way.<p><a href="https://careers.protonmail.com/o/devops-engineer-remote-europe-barcelona-london-vilnius-prague" rel="nofollow">https://careers.protonmail.com/o/devops-engineer-remote-euro...</a>
This is likely the spam filter scanning over the Links it finds in the E-Mail not actually something spitting the mail content into log4j (and I mean honestly, why would you even do that?)
It's good to be cautious, but this is sort of a silly test.<p>Protonmail doesn't have to "log" messages; <i>they have them already</i>. If I were Protonmail and I had to comply with lawful intercept requirements, I'd just:<p>a) make sure that message content isn't deleted from the mailbox when the user thinks it is<p>b) make sure I retain access to server-managed PGP keys (by logging key material and user-supplied passphrases)<p>But I sure as hell would <i>not</i> call some Java logger.trace() on every goddamn email! That's totally nonscalable and just silly.
You should expect mail to be public. There's no security at all in those protocols, by default.<p>Only encrypted e-mails are somewhat safe. So I just don't understand who's upvoting this. It's a silly post.
Was the email sent TO or FROM a protonmail address?
Does it also happen if it is protonmail to protonmail?<p>Unrelated: what's the name of the tool you use to "listen" to DNS calls?
Seems odd for PM to be vulnerable by the log4j CVE considering (from what I understand) they're mostly Go house. Maybe in the Android app, but otherwise I'd be surprised.<p>Unrelated: I've been getting quite frustrated with some of the functionality and limitations of PM especially for the price I pay (I have 2 catch-all domains, 1 user for each, which requires 2 times pro accounts), so recently I've been trying to migrate away to mailbox.org. Mailbox allows for automatic PGP encryption when the emails come in which is great. However, there is no way to move all my PM emails onto my mailbox.org account while keeping the encryption (not via the original key set up in Protonmail, nor via new key set up in mailbox.org). Has anyone ever run into such a scenario, and what can be done in this scenario?
This needs more detail, what is the body of the mail supposed to show?<p>Did you run an experiment? How was it run?<p>Is this between protonmail addresses?
If I were you, I would not use any kind of non open source and non self-hosted email service pretending to be "secret", in the best (!) case it has some sort of silent metadata/access logging. While common shady services like Protonmail bluntly store plain text archives, and even if they claim they don't, there's no zero-knowledge proof on this highly sensitive topic.
Hate to be that guy, but evidence has no plural.<p>Similar words often wrongly used in plural:
- advices
- feedbacks
- codes (when referring to source code)
- moneys
- datas
- syntaxes