What's the latest on emails that spy?

[Stephen Tashi]

TL;DR Summary

I've read that features can be built into emails that report back to the sender what he person who received the email does with it. What's the latest news on that technology?

Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened. It involved including a tiny picture in the email that would be opened when the email was read. That would somehow report information back to the sender. There were programs (mainly oriented to MS Windows) that advertised giving the email sender this power. Is that technology real? What are the latest developments in it?

 

[phinds]

Don't know about the latest but for many years Outlook (the desktop application at least) has had an option to ask an email to report back when it is opened, BUT ... it also provides the recipient (at least Outlook recipients) with the option as to whether or not to actually execute that action.

EDIT: and by the way, I have no idea whether or not that action is even meaningful if the email is received by an email system other than Outlook desktop.

 

[jedishrfu]

The MailCHimp bulk email distribution service can tell you if someone has looked at an email you sent, whether they decided to unsubscribe from your list and whether they looked at it a second time...

Usually this is done with a tracking pixel scheme where the pixel when accessed is associated with a single subscriber so that each time you view a web page that tracking pixel jpg gets requested from the service and the service then knows the user is looking at the email again.

https://en.ryte.com/wiki/Tracking_Pixel
I'm sure there are other ways using javascript but I think the single pixel approach works even if javascript it off. It will only fail with html is disabled in your email client which isn't uncommon as viewing your email as is is preferable to clicking on a malware link.

 

[Wrichik Basu]

Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened.

Boomerang for Gmail has this feature. It will append a small link at the end of the mail, and tell the receiver of the email that it is tracking the mail. The receiver has the option to stop the tracking I guess. Personally, I haven't used this feature yet (a message stating "This email is being tracked" will not be very good-looking in official mails).

 

[jedishrfu]

Yeah, it would be better to say this email is NOT being tracked, wink wink!

 

[pbuk]

I'm sure there are other ways using javascript but I think the single pixel approach works even if javascript it off. It will only fail with html is disabled in your email client which isn't uncommon as viewing your email as is is preferable to clicking on a malware link.

I am not aware of any email client that sends javascript contained in emails - this would be an unacceptable security risk. Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to and so the sender initially has no way of knowing if you have read the email, but as soon as you choose to display images they receive the code.

Don't know about the latest but for many years Outlook (the desktop application at least) has had an option to ask an email to report back when it is opened, BUT ... it also provides the recipient (at least Outlook recipients) with the option as to whether or not to actually execute that action.

EDIT: and by the way, I have no idea whether or not that action is even meaningful if the email is received by an email system other than Outlook desktop.

Outlook, or rather the Microsoft Exchange email server, uses its own protocol for message delivery which supports read notifications, but when it sends emails outside the organisation it has to use the universal SMTP protocol which does not.

 

[Greg Bernhardt]

Summary: I've read that features can be built into emails that report back to the sender what he person who received the email does with it. What's the latest news on that technology?

Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened.

This is very widespread and common email marketing technology. Nearly any promotional or subscribed email will have this monitoring. It is not usually offered by email services but by marketing platforms. Open rates are just used to determine the success of an email campaign.

 

[anorlunda]

This is very widespread and common email marketing technology.

Is there anything we can do to block it?

 

[Greg Bernhardt]

Is there anything we can do to block it?

Every client is different, but disabling the remote images will eliminate most tracking.

 

[anorlunda]

Every client is different, but disabling the remote images will eliminate most tracking.

Thanks. Gmail does allow you to disable images, or to ask each time. They also said the following. The way they word it, they do not necessarily think tracking is harmful.

How Gmail helps make images safe
Google scans images for signs of suspicious content before you receive them.

These scans make images safer because:

• Senders can’t use image loading to get information about your computer or location.
• Senders can’t use the image to set or read cookies in your browser.
• Gmail checks the images for known harmful software.

Sometimes, senders may know whether you've opened an email that has an image. Gmail scans every message for suspicious content. If Gmail thinks a sender or message is suspicious, images aren’t shown and you’ll be asked if you want to see the images.

 

[Greg Bernhardt]

The way they word it, they do not necessarily think tracking is harmful.

Note, Google is one of the biggest trackers in the world, but that being said, I don't think it's a concern either. Do you really care if a promotional email knows you opened it or not? In some ways it's helpful, but it gives them indication whether you thought the title was interesting enough to open, which just leads to more interesting titles.

BTW, this is no different on forums. aka, a good interesting title = higher open rates = more viewers = more replies = more fun!

 

[DaveC426913]

Note, Google is one of the biggest trackers in the world, but that being said, I don't think it's a concern either. Do you really care if a promotional email knows you opened it or not?

It also tells them they've reached a valid, active email address and recipient.
It's analogous to a robocall on your phone that detects when the phone has been answered, so that your number can be subsequently targeted for spam calls.

...whether you thought the title was interesting enough to open, which just leads to more interesting titles.

It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.

BTW, this is no different on forums. aka, a good interesting title = higher open rates = more viewers = more replies = more fun!

Nice try. Users come to fora looking for content (pull); fora don't push unsolicited content to a user's private space.

 

[phinds]

It also tells them they've reached a valid, active email address and recipient.
It's analogous to a robocall on your phone that detects when the phone has been answered, so that your number can be subsequently targeted for spam calls.

It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.

 

[Wrichik Basu]

Tell me something: is it actually safe to enable this tracking for personal use? I mean, aren't these people actually reading what you are sending?

 

[Greg Bernhardt]

It also tells them they've reached a valid, active email address and recipient.

You don't need open rate tracking for this. The server will send a bounce response to the sender if the email address is not valid.

It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.

First of all, why are you opening spam emails? Secondly, this tracking tech is commonly used in emails that you sign up for. So, don't confuse open rate tracking with spam. Legitimate emails use it too. Maybe even more so because at bulk levels it's not free. It's part of marketing platforms you pay for.

Nice try. Users come to fora looking for content (pull); fora don't push unsolicited content to a user's private space.

See above.

 

[Greg Bernhardt]

Tell me something: is it actually safe to enable this tracking for personal use? I mean, aren't these people actually reading what you are sending?

There is nothing unsafe about email open rate tracking.

1. Don't open spam
2. Unsubscribe from campaigns you don't want anymore
3. Personal use is very rare
4. Sleep well at night and worry about more important things

 

[Wrichik Basu]

There is nothing unsafe about email tracking.

1. Don't open spam
2. Unsubscribe from campaigns you don't want anymore
3. Personal use is very rare
4. Sleep well at night and worry about more important things

I am not talking about spam. I am talking about the emails that I am sending to others.

 

[Greg Bernhardt]

I am not talking about spam. I am talking about the emails that I am sending to others.

What's the difference? I don't understand the concern over whether or not someone knows you opened an email or not. The vast majority of personal email users don't track open rates and there is no issue even if they are.

 

[Wrichik Basu]

What's the difference? I don't understand the concern over whether or not someone knows you opened an email or not. The vast majority of personal email users don't track open rates and there is no issue even if they are.

Actually, it doesn't matter to me if the sender wants to know if I opened the email or not. My concern is this: say I enable the email tracking for my account, which means every mail I send, is tracked. Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)? If they do so, they can use the information in some illegal way if they want, right?

 

[Greg Bernhardt]

Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)? If they do so, they can use the information in some illegal way if they want, right?

Nope, all that happens is when your email client requests the tracking image, that request is logged as "email opened". That is it.

 

[Stephen Tashi]

Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to

On Thunderbird, I get the notification "Thunderbird had blocked the remote content ...", but I wonder how many people set up their email clients this way - especially if they read email on their smart phones.

Instead of using an email client program like Thunderbird, many people use the web interface offered by the email provider. So when we say that gmail does something, are we saying that gmail does it for people who use the gmail web interface?

An interesting article: https://en.wikipedia.org/wiki/Web_beacon

 

[Stephen Tashi]

First of all, why are you opening spam emails?

In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.

If I pick a batch of emails to delete by clicking on the first one and the last one, their contents are displayed, but not the contents of the ones in between.

 

[phinds]

In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.

If I pick a batch of emails to delete by clicking on the first one and the last one, their contents are displayed, but not the contents of the ones in between.

You need to get a new mail system.

 

[anorlunda]

My concern is this: say I enable the email tracking for my account, which means every mail I send, is tracked. Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)?

You have to be more specific about who you are asking about. If you send a email to a third party, now you are asking about the the third party's provider reading your content you. There are too many parties involved for a general answer.

If you use gmail, yes Google reads everything you send or receive. But gmail also offers the benefit of a very effective spam filter. Spam reaches my inbox less than once per month. That spam filter eliminates 95% of the email risks up front. I know other PF regulars managing their own company email, who spend many hours every week combating spam. I don't have to do that because I use gmail.

We can all decide to sell our privacy. Give up some privacy in return for some benefit. Maximum online privacy is achieved by never going online. But the annoying part is the lack of transparency. The invasions of my privacy that I'm not aware of and that I do not explicitly agree to.

 

[Klystron]

While sitting around the radar control room for a mega-city airport, I advised my coworkers to assume conversations were monitored, that privacy as we knew it was a relic of the past.

The next morning the TRA-CON supervisor half-jokingly repeated our conversation and agreed with my premise. This was in 1973 roughly ten years before I would install sendmail / SMTP on a computer.

As a software engineer I tried to respect privacy by not opening the DATA part of mail packets but by design UNIX mail programs copied messages, more like a fax than snail-mail. Sender and receiver servers stored copies of traffic with numerous timestamps. Lifetime for server copies defaulted to 10 minutes in theory. With on-the-fly server backups a copy exists somewhere. If not data, at least the handshakes and transmission times of each packet.

 

[DaveC426913]

You don't need open rate tracking for this. The server will send a bounce response to the sender if the email address is not valid.

Active email. An email that is actually getting eyeballs. That's valuable.

First of all, why are you opening spam emails?

Uh, because you very often don't know they're spam?

Secondly, this tracking tech is commonly used in emails that you sign up for. So, don't confuse open rate tracking with spam.
Legitimate emails use it too.

Yes. Not all use of it is nefarious, of course. I didn't mean to imply otherwise.

But it is easily abused. Spammy marketing companies use it for their own needs and, since you never know who does and who does not have your best interests at heart, that makes the technology generally risky.

In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.

Previewing is different from displaying. It does not necessarily show server-side images.
I use TB, and even when I do open emails, it won't show server-side images - unless I let it.

 

[OCR]

Every client is different, but disabling the remote images will eliminate most tracking.

This is how mine works. . .

We have some contract agreements with the government, and they require my

email address to be publicly viewable on certain sites that I use for contract

maintenance. . . you really need to know who to look for, and where to look, to

find it though. . .




It's not a big deal as far as I'm concerned, just part of doing business with the

government. . . .

.

 

[Stephen Tashi]

Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to

Maybe tracking can be done without images.

According to the Wikipedia article on web beacons: https://en.wikipedia.org/wiki/Web_beacon

This basic technique has been developed further so that all sorts of elements can be used as beacons. Currently these can include visible elements such as graphics, banners or buttons, but also non-pictorial HTML elements such as the frame, style, script, input link, embed, object, etc., of an email or web page.

 

[DaveC426913]

Maybe tracking can be done without images.

According to the Wikipedia article on web beacons: https://en.wikipedia.org/wiki/Web_beacon

Yeah that makes sense. All of those have at least one attribute that can contain a URL.
A URL makes a call back to the server, and thus can be appended with a unique key that the server can decode to know exactly which email it was sent to.

Pseudo-code:

<embed src="http://ourdomain.com/i-am-some-content.flv?target=this-was-sent-to-davec426913@domain.com">