What's the latest on emails that spy?

  • Thread starter Stephen Tashi
  • Start date
In summary: Anyway, Boomerang for Gmail has this feature. It will append a small link at the end of the mail, and tell the receiver of the email that it is tracking the mail. The receiver has the option to stop the tracking I guess. Personally, I haven't used this feature yet (a message stating "This email is being tracked" will not be very good-looking in official mails).There are also many other email clients that offer this same feature. Outlook, or rather the Microsoft Exchange email server, uses its own protocol for message delivery which supports read notifications, but when it sends emails outside the organisation it has to use the universal SMTP protocol which does not.
  • #1
Stephen Tashi
Science Advisor
7,861
1,598
TL;DR Summary
I've read that features can be built into emails that report back to the sender what he person who received the email does with it. What's the latest news on that technology?
Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened. It involved including a tiny picture in the email that would be opened when the email was read. That would somehow report information back to the sender. There were programs (mainly oriented to MS Windows) that advertised giving the email sender this power. Is that technology real? What are the latest developments in it?
 
Last edited:
  • Like
Likes Greg Bernhardt
Computer science news on Phys.org
  • #2
Don't know about the latest but for many years Outlook (the desktop application at least) has had an option to ask an email to report back when it is opened, BUT ... it also provides the recipient (at least Outlook recipients) with the option as to whether or not to actually execute that action.

EDIT: and by the way, I have no idea whether or not that action is even meaningful if the email is received by an email system other than Outlook desktop.
 
Last edited:
  • Like
Likes Stephen Tashi and Klystron
  • #3
The MailCHimp bulk email distribution service can tell you if someone has looked at an email you sent, whether they decided to unsubscribe from your list and whether they looked at it a second time...

Usually this is done with a tracking pixel scheme where the pixel when accessed is associated with a single subscriber so that each time you view a web page that tracking pixel jpg gets requested from the service and the service then knows the user is looking at the email again.

https://en.ryte.com/wiki/Tracking_Pixel
I'm sure there are other ways using javascript but I think the single pixel approach works even if javascript it off. It will only fail with html is disabled in your email client which isn't uncommon as viewing your email as is is preferable to clicking on a malware link.
 
  • Like
  • Informative
Likes WWGD, Stephen Tashi and anorlunda
  • #4
Stephen Tashi said:
Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened.
Boomerang for Gmail has this feature. It will append a small link at the end of the mail, and tell the receiver of the email that it is tracking the mail. The receiver has the option to stop the tracking I guess. Personally, I haven't used this feature yet (a message stating "This email is being tracked" will not be very good-looking in official mails).
 
  • Like
Likes Stephen Tashi
  • #5
Yeah, it would be better to say this email is NOT being tracked, wink wink!
 
  • Haha
Likes Wrichik Basu
  • #6
jedishrfu said:
I'm sure there are other ways using javascript but I think the single pixel approach works even if javascript it off. It will only fail with html is disabled in your email client which isn't uncommon as viewing your email as is is preferable to clicking on a malware link.

I am not aware of any email client that sends javascript contained in emails - this would be an unacceptable security risk. Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to and so the sender initially has no way of knowing if you have read the email, but as soon as you choose to display images they receive the code.

phinds said:
Don't know about the latest but for many years Outlook (the desktop application at least) has had an option to ask an email to report back when it is opened, BUT ... it also provides the recipient (at least Outlook recipients) with the option as to whether or not to actually execute that action.

EDIT: and by the way, I have no idea whether or not that action is even meaningful if the email is received by an email system other than Outlook desktop.

Outlook, or rather the Microsoft Exchange email server, uses its own protocol for message delivery which supports read notifications, but when it sends emails outside the organisation it has to use the universal SMTP protocol which does not.
 
  • Informative
Likes Klystron and phinds
  • #7
Stephen Tashi said:
Summary: I've read that features can be built into emails that report back to the sender what he person who received the email does with it. What's the latest news on that technology?

Several years ago, I read that features can be built into emails that report back to the sender what the person who received the email does with it - at least report whether the email was opened and when this happened.
This is very widespread and common email marketing technology. Nearly any promotional or subscribed email will have this monitoring. It is not usually offered by email services but by marketing platforms. Open rates are just used to determine the success of an email campaign.
 
  • #8
Greg Bernhardt said:
This is very widespread and common email marketing technology.
Is there anything we can do to block it?
 
  • #9
anorlunda said:
Is there anything we can do to block it?
Every client is different, but disabling the remote images will eliminate most tracking.
 
  • Informative
Likes anorlunda
  • #10
Greg Bernhardt said:
Every client is different, but disabling the remote images will eliminate most tracking.
Thanks. Gmail does allow you to disable images, or to ask each time. They also said the following. The way they word it, they do not necessarily think tracking is harmful.

https://support.google.com/mail/answer/145919?co=GENIE.Platform%3DDesktop&hl=en said:
How Gmail helps make images safe
Google scans images for signs of suspicious content before you receive them.

These scans make images safer because:

  • Senders can’t use image loading to get information about your computer or location.
  • Senders can’t use the image to set or read cookies in your browser.
  • Gmail checks the images for known harmful software.
Sometimes, senders may know whether you've opened an email that has an image. Gmail scans every message for suspicious content. If Gmail thinks a sender or message is suspicious, images aren’t shown and you’ll be asked if you want to see the images.
 
  • #11
anorlunda said:
The way they word it, they do not necessarily think tracking is harmful.
Note, Google is one of the biggest trackers in the world, but that being said, I don't think it's a concern either. Do you really care if a promotional email knows you opened it or not? In some ways it's helpful, but it gives them indication whether you thought the title was interesting enough to open, which just leads to more interesting titles.

BTW, this is no different on forums. aka, a good interesting title = higher open rates = more viewers = more replies = more fun!
 
  • Informative
  • Like
Likes Wrichik Basu and Klystron
  • #12
Greg Bernhardt said:
Note, Google is one of the biggest trackers in the world, but that being said, I don't think it's a concern either. Do you really care if a promotional email knows you opened it or not?
It also tells them they've reached a valid, active email address and recipient.
It's analogous to a robocall on your phone that detects when the phone has been answered, so that your number can be subsequently targeted for spam calls.
Greg Bernhardt said:
...whether you thought the title was interesting enough to open, which just leads to more interesting titles.
It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.
Greg Bernhardt said:
BTW, this is no different on forums. aka, a good interesting title = higher open rates = more viewers = more replies = more fun!
Nice try. 😕 Users come to fora looking for content (pull); fora don't push unsolicited content to a user's private space.
 
  • Like
Likes phinds
  • #13
DaveC426913 said:
It also tells them they've reached a valid, active email address and recipient.
It's analogous to a robocall on your phone that detects when the phone has been answered, so that your number can be subsequently targeted for spam calls.

It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.
what he said (very small).jpg
 
  • #14
Tell me something: is it actually safe to enable this tracking for personal use? I mean, aren't these people actually reading what you are sending?
 
  • #15
DaveC426913 said:
It also tells them they've reached a valid, active email address and recipient.

You don't need open rate tracking for this. The server will send a bounce response to the sender if the email address is not valid.

DaveC426913 said:
It leads to more spam. They've identified that you - of the countless hundreds of thousands of silent, apathetic users - are a conduit for possible sales.

First of all, why are you opening spam emails? Secondly, this tracking tech is commonly used in emails that you sign up for. So, don't confuse open rate tracking with spam. Legitimate emails use it too. Maybe even more so because at bulk levels it's not free. It's part of marketing platforms you pay for.

DaveC426913 said:
Nice try. 😕 Users come to fora looking for content (pull); fora don't push unsolicited content to a user's private space.

See above.
 
  • #16
Wrichik Basu said:
Tell me something: is it actually safe to enable this tracking for personal use? I mean, aren't these people actually reading what you are sending?
There is nothing unsafe about email open rate tracking.

1. Don't open spam
2. Unsubscribe from campaigns you don't want anymore
3. Personal use is very rare
4. Sleep well at night and worry about more important things
 
  • #17
Greg Bernhardt said:
There is nothing unsafe about email tracking.

1. Don't open spam
2. Unsubscribe from campaigns you don't want anymore
3. Personal use is very rare
4. Sleep well at night and worry about more important things
I am not talking about spam. I am talking about the emails that I am sending to others.
 
  • #18
Wrichik Basu said:
I am not talking about spam. I am talking about the emails that I am sending to others.
What's the difference? I don't understand the concern over whether or not someone knows you opened an email or not. The vast majority of personal email users don't track open rates and there is no issue even if they are.
 
  • Like
Likes Wrichik Basu
  • #19
Greg Bernhardt said:
What's the difference? I don't understand the concern over whether or not someone knows you opened an email or not. The vast majority of personal email users don't track open rates and there is no issue even if they are.
Actually, it doesn't matter to me if the sender wants to know if I opened the email or not. My concern is this: say I enable the email tracking for my account, which means every mail I send, is tracked. Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)? If they do so, they can use the information in some illegal way if they want, right?
 
  • #20
Wrichik Basu said:
Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)? If they do so, they can use the information in some illegal way if they want, right?
Nope, all that happens is when your email client requests the tracking image, that request is logged as "email opened". That is it.
 
  • Like
Likes Wrichik Basu
  • #21
pbuk said:
Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to

On Thunderbird, I get the notification "Thunderbird had blocked the remote content ...", but I wonder how many people set up their email clients this way - especially if they read email on their smart phones.

Instead of using an email client program like Thunderbird, many people use the web interface offered by the email provider. So when we say that gmail does something, are we saying that gmail does it for people who use the gmail web interface?

An interesting article: https://en.wikipedia.org/wiki/Web_beacon
 
  • #22
Greg Bernhardt said:
First of all, why are you opening spam emails?

In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.

If I pick a batch of emails to delete by clicking on the first one and the last one, their contents are displayed, but not the contents of the ones in between.
 
  • #23
Stephen Tashi said:
In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.

If I pick a batch of emails to delete by clicking on the first one and the last one, their contents are displayed, but not the contents of the ones in between.
You need to get a new mail system.
 
  • Like
Likes Greg Bernhardt
  • #24
Wrichik Basu said:
My concern is this: say I enable the email tracking for my account, which means every mail I send, is tracked. Does this imply that the tracking agency is reading the contents of the email (i.e. the body, in addition to recipient information)?
You have to be more specific about who you are asking about. If you send a email to a third party, now you are asking about the the third party's provider reading your content you. There are too many parties involved for a general answer.

If you use gmail, yes Google reads everything you send or receive. But gmail also offers the benefit of a very effective spam filter. Spam reaches my inbox less than once per month. That spam filter eliminates 95% of the email risks up front. I know other PF regulars managing their own company email, who spend many hours every week combating spam. I don't have to do that because I use gmail.

We can all decide to sell our privacy. Give up some privacy in return for some benefit. Maximum online privacy is achieved by never going online. But the annoying part is the lack of transparency. The invasions of my privacy that I'm not aware of and that I do not explicitly agree to.
 
  • Like
Likes Wrichik Basu and Klystron
  • #25
While sitting around the radar control room for a mega-city airport, I advised my coworkers to assume conversations were monitored, that privacy as we knew it was a relic of the past.

The next morning the TRA-CON supervisor half-jokingly repeated our conversation and agreed with my premise. This was in 1973 roughly ten years before I would install sendmail / SMTP on a computer.

As a software engineer I tried to respect privacy by not opening the DATA part of mail packets but by design UNIX mail programs copied messages, more like a fax than snail-mail. Sender and receiver servers stored copies of traffic with numerous timestamps. Lifetime for server copies defaulted to 10 minutes in theory. With on-the-fly server backups a copy exists somewhere. If not data, at least the handshakes and transmission times of each packet.
 
  • Like
Likes Wrichik Basu
  • #26
Greg Bernhardt said:
You don't need open rate tracking for this. The server will send a bounce response to the sender if the email address is not valid.
Active email. An email that is actually getting eyeballs. That's valuable.
Greg Bernhardt said:
First of all, why are you opening spam emails?
Uh, because you very often don't know they're spam?
Greg Bernhardt said:
Secondly, this tracking tech is commonly used in emails that you sign up for. So, don't confuse open rate tracking with spam.
Legitimate emails use it too.
Yes. Not all use of it is nefarious, of course. I didn't mean to imply otherwise.

But it is easily abused. Spammy marketing companies use it for their own needs and, since you never know who does and who does not have your best interests at heart, that makes the technology generally risky.

Stephen Tashi said:
In Thunderbird, when I go to delete an email and click on its title, its content is automatically displayed.
Previewing is different from displaying. It does not necessarily show server-side images.
I use TB, and even when I do open emails, it won't show server-side images - unless I let it.
 
  • #27
Greg Bernhardt said:
Every client is different, but disabling the remote images will eliminate most tracking.
This is how mine works. . .

1566381115124.png
We have some contract agreements with the government, and they require my

email address to be publicly viewable on certain sites that I use for contract

maintenance. . . you really need to know who to look for, and where to look, to

find it though. . .

It's not a big deal as far as I'm concerned, just part of doing business with the

government. . . . :oldeyes:

.
 
Last edited:
  • #28
pbuk said:
Simply displaying HTML does not send the tracking code as most email clients will not download images unless you ask them to

Maybe tracking can be done without images.

According to the Wikipedia article on web beacons: https://en.wikipedia.org/wiki/Web_beacon

This basic technique has been developed further so that all sorts of elements can be used as beacons. Currently these can include visible elements such as graphics, banners or buttons, but also non-pictorial HTML elements such as the frame, style, script, input link, embed, object, etc., of an email or web page.
 
  • Informative
  • Like
Likes Klystron and anorlunda
  • #29
Stephen Tashi said:
Maybe tracking can be done without images.

According to the Wikipedia article on web beacons: https://en.wikipedia.org/wiki/Web_beacon
Yeah that makes sense. All of those have at least one attribute that can contain a URL.
A URL makes a call back to the server, and thus can be appended with a unique key that the server can decode to know exactly which email it was sent to.

Pseudo-code:
Code:
<embed src="http://ourdomain.com/i-am-some-content.flv?target=this-was-sent-to-davec426913@domain.com">
 

1. What do you mean by "emails that spy"?

"Emails that spy" refers to emails that are designed to collect personal information or monitor the recipient's online activities without their consent. These emails may contain malicious links or attachments that can infect the recipient's device with spyware or other tracking software.

2. How do these spy emails work?

Spy emails typically use social engineering techniques to trick the recipient into opening them or clicking on a link or attachment. Once opened, the spyware is downloaded onto the recipient's device and can track their online activities, capture personal information, or even take control of their device.

3. What are the risks of receiving these types of emails?

The risks of receiving spy emails include having your personal information stolen, being a victim of identity theft, having your online activities monitored, and potentially having your device compromised. These risks can lead to financial losses, privacy violations, and other security threats.

4. How can I protect myself from these emails?

To protect yourself from spy emails, you should always be cautious when opening emails from unknown senders or those that seem suspicious. Avoid clicking on links or opening attachments from these emails, and be sure to have up-to-date antivirus and anti-malware software on your device.

5. What should I do if I think I have received a spy email?

If you suspect that you have received a spy email, do not open any links or attachments and delete the email immediately. You can also report the email to your email provider or local authorities. It is also recommended to run a full scan of your device with antivirus software to check for any potential infections.

Similar threads

  • Computing and Technology
Replies
15
Views
4K
  • Computing and Technology
Replies
20
Views
2K
  • Computing and Technology
Replies
30
Views
1K
Replies
86
Views
14K
  • STEM Academic Advising
Replies
5
Views
2K
Replies
39
Views
7K
  • Feedback and Announcements
Replies
0
Views
94K
Replies
1
Views
551
  • Feedback and Announcements
Replies
13
Views
3K
  • Feedback and Announcements
Replies
1
Views
208
Back
Top