Tracked email and privacy

ayahuasca · 8th June 2004, 05:38 PM

I know Fastmail already has the feature where tracking webbugs are blocked, but ReadNotify.com appears to use several different methods to violate privacy, and one or more of the methods they're using is getting past Fastmail. I know because I signed up for a trial ReadNotify account and sent myself an email to test it out, and as soon as I opened the message in the Fastmail web interface (but not in my desktop IMAP client) I got a read notification.
Here's one link about it-also read the comments because one of them goes into good detail about every html and css tag that can be abused to violate privacy in this way, and here's a link that shows the html source of a ReadNotify message so you can see some of the tricks they pull (IFRAME, and using the gopher protocol). In ReadNotify's own words, some of the methods they use.
This really creeps me out. I hope Fastmail can block these pigs.

LrdVader · 8th June 2004, 05:56 PM

Why not just bounce all messages sent through the readnotify.com servers? Can you post the headers so the rest of us can see what those servers are?

ayahuasca · 8th June 2004, 05:58 PM

I'm not sure how I would do that, it sounds like a capital idea to me. The test email I sent myself looked like it came from me, so how do I tell and block them?

LrdVader · 8th June 2004, 06:02 PM

The message headers should give it away. Let's have a look at them (with your address removed).

ayahuasca · 8th June 2004, 06:32 PM

Quote:

Return-Path: <XXXXX+megacreepy@fastmail.us>
Received: from frontend2.messagingengine.com (frontend2.internal [10.202.2.151])
by server3.fastmail.fm (Cyrus v2.3-prealpha) with LMTPA;
Tue, 08 Jun 2004 04:23:48 -0400
X-Sieve: CMU Sieve 2.2
X-Resolved-to: XXXXX@fastmail.us
X-Delivered-to: XXXXX@fastmail.us
X-Mail-from: XXXXX+megacreepy@fastmail.us
Received: from my.guardpuppy.com (unknown [208.185.243.103])
by smtp.us.messagingengine.com (Postfix) with ESMTP id D7BCE4F6D9E
for <XXXXX@fastmail.us>; Tue, 8 Jun 2004 04:23:42 -0400 (EDT)
Received: from my.guardpuppy.com (localhost.localdomain [127.0.0.1])
by my.guardpuppy.com (8.12.10/8.12.10) with ESMTP id i588NaUG028300
for <XXXXX@fastmail.us>; Tue, 8 Jun 2004 08:23:36 GMT
Received: (from mail@localhost)
by my.guardpuppy.com (8.12.10/8.12.10/Submit) id i588NaUV028298
for XXXXX@fastmail.us; Tue, 8 Jun 2004 08:23:36 GMT
Received: from fuse1.fusemail.net (smtp.fusemail.net [69.31.1.141])
by my (8.12.10/8.12.10) with ESMTP id i588NXUG028283
for <XXXXX@fastmail.us>; Tue, 8 Jun 2004 08:23:33 GMT
Received: from fusemail.com
by fuse1.fusemail.net with asmtp (FuseMail extSMTP)
id 1BXbtM-0004EC-Vn
for XXXXX@fastmail.us; Tue, 08 Jun 2004 03:23:33 -0500
To: XXXXX@fastmail.us
Subject: testing
From: "Firstname Lastname" <XXXXX+megacreepy@fastmail.us>
Date: Tue, 08 Jun 2004 03:23:33 -0500
Message-ID: <opr89n9jtdmnh8ro@snowball>
User-Agent: Opera M2/7.51 (Win32, build 3798)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit
Disposition-Notification-To: XXXXX+megacreepy@fastmail.us
X-Confirm-Reading-To: XXXXX+megacreepy@fastmail.us
Return-Receipt-To: XXXXX+megacreepy@fastmail.us
X-Read-Notification: Courtesy of ReadNotify.com - http://www.tkuguj4hryep01.ReadNotify.com

I guess the X-Read-Notification gives it away, but unfortunately it appears one cannot count on this: one of the ReadNotify features is that you can optionally disable it. For instance, if I'm emailing george@hotmail.com, I send my email to george@hotmail.com.silent.readnotify.com instead of george@hotmail.com.readnotify.com and the header is stripped out.

Jeremy Howard · 8th June 2004, 08:07 PM

Can you try this on the beta server, and tell us if webbugs are still not squashed fully?

bitequator · 8th June 2004, 08:07 PM

Keep up the fight (and let us know - yes I'm lazy)

I know it's asking too much, but later you might even want to look into others. List I have from the forum:

- http://didtheyreadit.com
- http://havetheyreadityet.com
- http://msgtag.com
- http://postofficer.com/p (& http://postofficer.com/aet)
- http://readnotify.com
- http://returnreceipt.com
- http://sentthere.com
- http://trackthis.cc

Some are intentionally more conservative. Anyways Googling or web directory search will probably turn up gazillion others...

LrdVader · 9th June 2004, 04:16 AM

I managed to Google up a sample message from Readnotify in some mailing list archive last night, and I notice that both that message and the one you posted were relayed through the server my.guardpuppy.com. A Whois lookup shows that guardpuppy.com and readnotify.com are registered to the same person.

So, at least for the moment, it looks like rejecting mail relayed through a guardpuppy.com server should keep these scumbags out of your inbox.

neilj · 9th June 2004, 04:52 AM

Quote:

Originally posted by Jeremy Howard
Can you try this on the beta server, and tell us if webbugs are still not squashed fully?

I just tested - the web bug protection stops the tracking - consider them (for the moment at least) well and truly squashed.

Neil

ayahuasca · 9th June 2004, 06:31 AM

I just tested on the beta server as well, and neilj is right: they never realize that I've opened the message.
There's still a problem, though it pales in comparison it's still creepy: they're hijacking URLs! Instead of http://www.opera.com/m2 my link in my email is now http://www.ztgnknginf66gk.readnotify....opera.com/m2/. As soon as I clicked the link, they registered me as having viewed the message. Can anything be done about the link hijackings or am I asking for too much effort in return for too little reward?

ayahuasca · 9th June 2004, 06:32 AM

LrdVader-nice job spotting the guardpuppy thing.

LrdVader · 9th June 2004, 06:39 AM

Quote:

Originally posted by ayahuasca
Can anything be done about the link hijackings or am I asking for too much effort in return for too little reward?

Unfortunately, doing anything about the link hijacking would require FM to alter the bodies of received messages, which is generally considered a major sin for an email provider.

What would be nice, if it's not too much work and too prone to false positives, would be a SpamAssassin test for Readnotify tricks in the body of the message. Even with a low score like 0.1, that would still add a nice header tag that a script could be set to filter on.

neilj · 9th June 2004, 06:41 AM

Quote:

Originally posted by ayahuasca
I just tested on the beta server as well, and neilj is right: they never realize that I've opened the message.
There's still a problem, though it pales in comparison it's still creepy: they're hijacking URLs! Instead of http://www.opera.com/m2 my link in my email is now http://www.ztgnknginf66gk.readnotify....opera.com/m2/. As soon as I clicked the link, they registered me as having viewed the message. Can anything be done about the link hijackings or am I asking for too much effort in return for too little reward?

Good catch, I didn't spot that - I never sent any links. It might be worth trying to stop that, but unfortunately each tracking service is going to use a different method, which makes it kinda tricky. In this case you couldn't do the simple thing of truncating everything before the last "http" in the string as you would end up with a mal-formed link.

Neil

ayahuasca · 10th June 2004, 04:07 PM

I'll just hover over every link prior to clicking it, which I do anyway. It's not likely anyone corresponding with me would use one of these services anyway, and they would hear quite an earful if I discovered they did.

8th June 2004, 05:38 PM	#1
ayahuasca Member Join Date: Jan 2004 Location: Chicago Posts: 92	Tracked email and privacy I know Fastmail already has the feature where tracking webbugs are blocked, but ReadNotify.com appears to use several different methods to violate privacy, and one or more of the methods they're using is getting past Fastmail. I know because I signed up for a trial ReadNotify account and sent myself an email to test it out, and as soon as I opened the message in the Fastmail web interface (but not in my desktop IMAP client) I got a read notification. Here's one link about it-also read the comments because one of them goes into good detail about every html and css tag that can be abused to violate privacy in this way, and here's a link that shows the html source of a ReadNotify message so you can see some of the tricks they pull (IFRAME, and using the gopher protocol). In ReadNotify's own words, some of the methods they use. This really creeps me out. I hope Fastmail can block these pigs.

8th June 2004, 05:56 PM	#2
LrdVader The "e" in e-mail Join Date: Oct 2003 Location: San Diego, CA Posts: 2,550	Why not just bounce all messages sent through the readnotify.com servers? Can you post the headers so the rest of us can see what those servers are?

8th June 2004, 05:58 PM	#3
ayahuasca Member Join Date: Jan 2004 Location: Chicago Posts: 92	I'm not sure how I would do that, it sounds like a capital idea to me. The test email I sent myself looked like it came from me, so how do I tell and block them?

8th June 2004, 06:02 PM	#4
LrdVader The "e" in e-mail Join Date: Oct 2003 Location: San Diego, CA Posts: 2,550	The message headers should give it away. Let's have a look at them (with your address removed).

8th June 2004, 08:07 PM	#6
Jeremy Howard Ultimate Contributor Join Date: Sep 2001 Location: Australia Posts: 11,452	Can you try this on the beta server, and tell us if webbugs are still not squashed fully?

8th June 2004, 08:07 PM	#7
bitequator The "e" in e-mail Join Date: Apr 2003 Location: USA Posts: 2,978	Keep up the fight (and let us know - yes I'm lazy) I know it's asking too much, but later you might even want to look into others. List I have from the forum: - http://didtheyreadit.com - http://havetheyreadityet.com - http://msgtag.com - http://postofficer.com/p (& http://postofficer.com/aet) - http://readnotify.com - http://returnreceipt.com - http://sentthere.com - http://trackthis.cc Some are intentionally more conservative. Anyways Googling or web directory search will probably turn up gazillion others...

9th June 2004, 04:16 AM	#8
LrdVader The "e" in e-mail Join Date: Oct 2003 Location: San Diego, CA Posts: 2,550	I managed to Google up a sample message from Readnotify in some mailing list archive last night, and I notice that both that message and the one you posted were relayed through the server my.guardpuppy.com. A Whois lookup shows that guardpuppy.com and readnotify.com are registered to the same person. So, at least for the moment, it looks like rejecting mail relayed through a guardpuppy.com server should keep these scumbags out of your inbox.

9th June 2004, 06:31 AM	#10
ayahuasca Member Join Date: Jan 2004 Location: Chicago Posts: 92	I just tested on the beta server as well, and neilj is right: they never realize that I've opened the message. There's still a problem, though it pales in comparison it's still creepy: they're hijacking URLs! Instead of http://www.opera.com/m2 my link in my email is now http://www.ztgnknginf66gk.readnotify....opera.com/m2/. As soon as I clicked the link, they registered me as having viewed the message. Can anything be done about the link hijackings or am I asking for too much effort in return for too little reward?

9th June 2004, 06:32 AM	#11
ayahuasca Member Join Date: Jan 2004 Location: Chicago Posts: 92	LrdVader-nice job spotting the guardpuppy thing.

10th June 2004, 04:07 PM	#14
ayahuasca Member Join Date: Jan 2004 Location: Chicago Posts: 92	I'll just hover over every link prior to clicking it, which I do anyway. It's not likely anyone corresponding with me would use one of these services anyway, and they would hear quite an earful if I discovered they did.