Testing didtheyreadit.com's Mail-Tracking Claims

iosdaemon writes "didtheyreadit.com claims to be able to track your sent email: "When, exactly, your email was opened. How long your email remained opened. Where, geographically, your email was viewed. DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more." Read on for more. "This appears to be snake oil. I put it to test just in case someone had come up with some magical code. I sent email from a Yahoo.com account through the service, to an account on a Linux Box. Running tcpdump, I received the email from my pop and let 5 minutes pass before opening it. I left the message open with the cursor in the text for another 5 minutes. Tcpdump revealed absolutely no questionable traffic. And, the service control panel indicated the email had not been viewed. Sending email to a Yahoo.com account results in a 'read' in the service CP. But I had the message open for 10 minutes, and it indicated a 2-minute read......"

The company's "How it works" page explains the system to some degree; it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address. I doubt this is mutt-compatible ... Reader xrxzzy points out USAToday's article on the service as well.

Link doesn't work

[fatwreckfan]

Here's a working link: http://www.didtheyreadit.com/.

How it 'works'

[ZiZ]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages. Here's an example of the image it adds:

<img src="http://didtheyreadit.com/index.php/worker?cod e=2f985e815bd2b46450e 07957611ab6c9" width="1" height="1" /> So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default. (It was nice enough to leave my plain-old-text message - "blah blah blah" - alone in the original format, as well as adding a text/html mangled version.)

Re:How it 'works'

[agm]

Evolution has this feature as well. I'm sure anyone internet savvy and aware of the spam problem would have a mail reader that prevents remote images from being displayed - which renders this service useless.

Re:How it 'works'

[RotJ]

Yahoo! and Hotmail also allow people to block all images until they explicitly approve them, so spammers can't track whether you've opened their spam. Didtheyreadit won't be able to either. So tracking for this service will be very spotty. For messages marked unread, you can NEVER know whether it was opened or not.

Re:How it 'works'

[amembleton]

This then allows their server to know when the mail was downloaded by the user without having to rely on images.

Unfortunatelly, I don't think it works like that. Their server will then send it to the users' server, or the mail server of their ISP or the mail sever of a webmail account such as Yahoo!, Gmail or Hotmail. Their server will send the message straight away, without any delay. The end user does not download the message from didtheyreadit.com sever, they download it from their usuall Yahoo! SMTP server or whatever their usuall mail server is.

Re:How it 'works'

[tigress]

Uhh, no. The recipient "downloads" their mail from their ISPs mailserver. There's nothing didtheyreadit.com can do to change that. What the extra ".didtheyreadit.com" does is simply being an email adress that forwards the mail to the recipients server, and adding a tracking-image to the mail.

Of course, if you don't believe me, please feel free to call my free 1-800 number and I'll explain it further. I promise not to redirect your call to an international $9.95/min number.

Re:How it 'works'

[alder]

...unless I decided to switch back to HTML.

Then you'll go to Tools -- Options... -- Advanced -- Privacy and make sure that "Block loading of remote images in mail messages" is checked. You'll gain nicely formatted messages (with images even if they are embedded) yet all remote images, that can track you, will be ignored.

Re:How it 'works'

[BuckaBooBob]

Not to mention if you have didtheyreadit.com in your hostfile with your loopback.

Re:How it 'works'

[eSavior]

Mozilla Thunderbird has the same feature, 1.tools->options...->advanced->privacy 2.check "Block loading of remote images in mail messages." 3.press okay

Re:How it 'works'

[darkonc]

I can't find such an option in Mozilla.

Edit ->
Preferences ->
Privacy & Security ->
Images ->
[checkbox] Do not load remote images in Mail and Newsgroup messages

It's probably the fact that it's under 'Privacy and Security', rather than 'Mail and news' that threw you.

Re:How it 'works'

[localhost00]

The way to defeat browser caching is to make the IMG SRC point to a CGI that returns a REDIRECT (302) that points to the single-pixel image. So you might have IMG SRC="server/path/to/cgi?key1=val1&key2=val2". The browser will have to tick the CGI because it has "dynamic" parameters. However, the CGI has to return a REDIRECT because an intelligent proxy server in the middle might be trying to cache the output too. You don't care if the single-pixel image itself is cached, you just want to capture the CGI hit with all the parameters.

Go.com web-email actually throws in an extra parameter, like &r=[some random integer], to each link as a way to get around cache.

Re:How it 'works'

[jonadab]

> Their server will then send it to the users' server

Additionally, even the recipient's mail server (at the recipient's ISP,
usually) does not know when (or if) the recipient reads the message. Well,
maybe with IMAP, but not with POP3. The protocol really only handles
retrieval, and almost all mail clients just retrieve all the messages in
batch, and the user can read them whenever: right away, minutes later,
months later, whenever. There is no provision in the POP3 protocol (or
AFAIK any of the various extensions, most of which are in any case not
supported by most servers and many of which are also not supported by most
clients) for the server to be contacted when this happens. I've personally
implemented the server side of the POP3 protocol and can attest that there
is no provision for this.

So even the user's own ISP's mail server only knows when the user's computer
retrieves the message, not when it's read.

The only way the service could work, then, is if the client does something
to let the service know that the message has been read. That absolutely
requires support from the client, support MOST mail clients do not provide.
I imagine they're relying on a feature that is common to Outlook and the
most popular webmail services, but in any case the "works regardless of mail
cient" claim is obviously without any merit.

Re:How it 'works'

[LordHedgehog]

Worth pointing out that my SpamAssassin settings give considerable weight to image trackers. I doubt I'm alone in bumping that test up.

If anyone hear tries to send me a DidTheyReadIt e-mail, be forewarned that not only will my mail client not display inline images, but it'll probably fall in the bit bucket as spam.

Re:How it 'works'

[Seumas]

I was specifically speaking to the claims of the company I have heard on the radio as I quoted in my post. That is, a company that not only claims to tell you the information the original article's company does - but to allow you to also have full control over your message. Meaning that you could delete the email and any attachments from all mankind with a simple keystroke - which is clearly fraudulent and absurd.

The company is called BigString.com and they claim their email is:

* recallable
* erasable
* changeable
* allow time delay of sending emails
* time out of sent emails
* report of when your messages are opened
* the ability to only alow images to be viewed once and not allowed to be forwarded
* ability to prevent messages from being printed
* ability to prevent messages from being saved

I have not researched the company because it is either entirely bullshit or proprietary as I can clearly access any email, save it and then do whatever I want with it - BigString be damned.

The only way I can see this working is if the sender has to hav an account on their server and the recipient has to have an account on their server and then they employ some form of scripting with custom external (non mailstore) storage of messages and images tied together with a key or webbug/htmlbug.

If you ask me, these claims and offerings are far above and beyond that of the USA Today article or this Slashdot article.

They also claim that the technology is "patent-pending" and that sending email is the same as any regular email.

Bigstring is the sole provider of fully Erasable-Recallable Email. Pioneering the field with our unique patent-pending technology, we empower our users with the ability to take control of their email. The best part is that it is easy to use - in fact there is no difference from regular email.
Three years ago, the Bigstring founders set out to build the best Spam fighting email system on the planet, and then, quite by accident, they invented the world's first fully erasable email and didn't even realize it. A few months ago, one of the founders, Darin, sent an important new client an email with the wrong attachment. Upset, he asked his partners if there was any way that you could recall an email; the immediate answer was "No"!!! Then, Dave scratched his head... and said, "Well, if we modify the new system just a little, you can erase your mail, edit it, change attachments, set it to expire at a certain time and even know when it's been read." Darin said, "So, it's like you have a big string on your email and pull it back"...and Bigstring was born.

Re:How it 'works'

[lostchicken]

Patent law cannot be circumvented with a clean-room designed algorithm. A lack of knowledge of the original source will not get you out of a patent suit, just copyright issues. So, if you are trying to make a web bug, you'd best read this and do something completely different, because no matter what, you can't use the above described technique without being in violation of IBM's patent. Not even if you came up with it all by yourself.

Re:How it 'works'

[OhHellWithIt]

That's where the original posters "treble damages" come from. He ment "triple damages",

There should be no confusion with this.

From Merriam-Webster Ninth New Collegiate Dictionary
treble adj. [ME, fr. MF, fr. L triplus -- more at TRIPLE] ... 1 b: triple in number or amount.

this is cool

[quelrods]

Well, it will tell you when they opened the email/how many times/etc. (assuming they have an html enabled email client.) It works w/ yahoo mail but not with pine. The infinite refresh to tell how long they read the email for is annoying in that it makes it look like the email never finished loading. Can someone see how outlook responds to this? (I haven't a windows box)

OE read receipts

[gbjbaanb]

considering the non-friendly hack that you need to go through to get this working, wouldn't it be better to capture the data sent by Outlook and OE's read receipts and implement something compatible in Mozilla and other email clients.

I only say use the Outlook 'standard' because it doesn't seem there's any others, and it'd be a bit useless if we had multiple versions.

If we want read receipts, that is. Personally I turn them off, and don't send them.

Re:OE read receipts

[Ryquir]

Uhmm... you do understand that Mozilla and other E-mail client do actually have read receipts and that this isn't a "MS" standard?

The only difference in clients abilities with regards to read receipts is how they present you the uninformed user the dialog box saying "Sender has requested you inform them that you have read this message".

Re:OE read receipts

Or you could simply read the RFC. Seems a lot less trouble than packet sniffing and reverse engineering.

get your privacy back easily

[xlyz]

just set your mail client to not download images

Re:get your privacy back easily

[MntlChaos]

it's the default. so just type pine and it's set up to not download images

Re:fp!

[TheViciousOverWind]

Nothing special, just "Webbug" images, which spamfilters such as SpamAssasin (in the default setting) adds point to as more likely to be spam, so using DidTheyReadIt users mail is more likely to end up in a spamfolder than any other type of mail.

On another note, I find it's walking on the thin red line of immoral behavior, and I know here in Denmark there've been several companies who've got bad publicity because of using said method.

Re:Single pixel gif?

[octalc0de]

Perhaps the single pixel gif never finishes loading. That way, as long as the connection remains open, the web server clocks how long you're on the image.

Not very useful!

[edoc]

This is not very useful as it is only tracking the images that are being loaded when the email is being viewed. However, most email clients now block these inline images from being loaded so this software will not function. In text based email clients it also will not function at all. These features have already been included in such email clients as evolution.

Re:Single pixel gif?

[Neon+Spiral+Injector]

The time is probably calculated by not actually sending the image file, or sending it very slowly. So they just keep the HTTP session open, then note when the client closes. That would limit the tracking time to when the connection times out. Like the author said, he left the Yahoo mail open for 10 minutes and it only reported 2.

An additional note, Yahoo does have an option to disable remote images, which would also break this.

Seems this company is too late to the party. Almost all current e-mail clients now don't or have an option to not to load remote images.

It's an animated GIF!

It embeds a single pixel image, but it appears to keep feeding you the image forever, at a rate of a byte a second. Thus, if you use an HTML image reader that loads embedded graphics from random servers, they will know how long you had it open for.

Of course, if you use an email program that's that, umm, "open", they could just embed a trojan in it and add features like listening to what you say when you open the mail, and pictures of you reading it. :)

Re:Single pixel gif?

[ilikejam]

Yup. Confirmed.
At the bottom of the mail is:

<img src="http://didtheyreadit.com/index.php/worker?cod e=xxxxxxxxxxxxxxxxxxxxx" width="1" height="1" />

Oh well. Should prove very effective against those without the sense to turn off images anyway. Lets hear it for making money from people's ignorance!

eeevviiilll!

[Gaima]

http://www.rampellsoft.com/, the people bringing you didtheyreadit looks to me like a really evil company.

software products to make your life on a computer easier and more efficient. by secretly spying on your spouse, kids and employees.
Oh, sorry, record, my bad.

/me goes back to kmail in text/plain by default, happy, safe, and in privacy.

This would fail with GMail

[tji]

By default, Google mail has images turned off. You have to click a link at the top of the message to force it to load the images.

Most other mailers also have a way to turn off image loading because spammers have been using this tracking technique for a long time. If mailers don't allow image blocking yet, I'm sure that a service like this will get them to add that trivial feature.

Re:This would fail with GMail

[attemptedgoalie]

Outlook 2003 blocks images as well.

Outlook Express will when XP SP2 hits at end of July.

Yahoo, and Gmail too...

[QangMartoq]

Both of these web-based email services have the ability to block loading of images in spam, though, at least with Yahoo, it's worthy to note that this feature extends only to messages stored in your 'Bulk' folder.

As to Gmail, I don't know, but from what I've heard it works in a similar way.

Also, the newer versions of AOL diasable images in emails by default, requiring the user to click on an 'Enable images and links' option on each email they want to see images/have working links in.

Having email clients disable images by default (Which sems to be an increasing trend) will relegate this 'service' to the wasteland of failed dot coms pretty quickly, I'd think. When this happens, I wont be one to shed a tear. I have no desire for anyone that emails me to be able track if I have read their message. If I have, and I choose to respond to it, then they know. If I don't respond, they can keep guessing.

quick prevention of getting tracked by this...

[griffjon]

Not that I let my email client load images anyway, but just because I'm spiteful, I think I'll go add
"127.0.0.1 didthereadit.com" to my /etc/hosts file. (c:\windows\hosts in win98, C:\windows\system32\drivers\etc\ in XP, )

Better alternative

[mapinguari]

If you're wanting to use something along these lines, a more up-front company that doesn't use invisible web bugs is HaveTheyReadItYet.

They use images of stamps, which are customizable, which is kind of a cool idea.

However, this only available for Windows.

Easy fix...

[jafiwam]

just put:

127.0.0.1 didtheyreadit.com

In your hosts file...

Or put an authoritative zone in your DNS servers if you have access.

Done, no query reaches their server.

Yahoo and Hotmail image loading

[AzureLunatic]

Yahoo mail has the option to block all images from loading by default (not just in the sorted-as-spam bucket), warns the user when images are blocked from loading, and allows loading of images on a message-by-message basis.

However, this option must be hunted down and turned on.

Hotmail does one better, and allows you to block all images from loading by default, and set rules so certain senders' images will always load as well as viewing images in a piece of mail on a case-by-case basis.

Re:This is easily defeated....

It's also defeated by web proxies that are set to block them. I recommmend privoxy, the descendant of that wonderful web proxy JunkBuster.

Re:Depressing...

[PTBarnum]

Outlook 2002:

To suppress all HTML rendering, add this key as a DWORD with value 1.

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0 \O utlook\Options\Mail\ReadAsPlain

Outlook 2003:

I don't use this, but I understand there are preference settings in the app itself to suppress external images and possibly even turn off HTML.

Wonder how it compares with ReadNotify

[Krellan]

There is another company that claims to do this, ReadNotify.

It looks to be exactly the same kind of service as Didtheyreadit.com.

I first became aware of this company by reading Mozilla's bug report 28327 - http://bugzilla.mozilla.org/show_bug.cgi?id=28327 (cut/paste URL and open in new window).

Mozilla/Thunderbird also has trouble completely blocking all server contact in email, as it evidently doesn't sandbox the email environment enough (images may be blocked, but stylesheets and other external URL's can still leak through, last I checked).

BTW, there is a workaround if you use Mozilla/Thunderbird: set your View/Message Body As settings to "Simple HTML", or better yet, "Plain Text". This works 100%!

Tracking HTML e-mail without images or JavaScript

[Kent+Brewster]

You can do this without using an image or JavaScript, and give away nothing in the source of the message. Here's one way, using Apache, .htaccess, and PHP:

1) In the header of your HTML e-mail message, load up a style sheet:

<style type="text/css">
@import "http://your.server.com/your.css";
</style>

2) In the server directory containing your CSS file, add the following line to .htaccess:

AddType application/x-httpd-php .css

Any file ending in .css under this directory will now be run as if it were a PHP script.

3) Save this as your.css:

<?php
require "track_message.php";
?>

Done. No images, no JavaScript ... any reader that accepts HTML messages will trigger track_message.php, and nothing unusual will be visible in source code, even if some curious person pulls down http://your.server.com/your.css to take a look.

Re:They may have their patent sticker but. . . .

[julesh]

I'm sorry, it isn't either novel or non-trivial. I've been using this technique since 1997, when I read it as a recommended technique in a book on CGI programming that had been published years before.

It is obvious. In fact, it's about the easiest way of solving the problem of a CGI script that produces an image, let alone cache-busting.