Testing didtheyreadit.com's Mail-Tracking Claims

iosdaemon writes "didtheyreadit.com claims to be able to track your sent email: "When, exactly, your email was opened. How long your email remained opened. Where, geographically, your email was viewed. DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more." Read on for more. "This appears to be snake oil. I put it to test just in case someone had come up with some magical code. I sent email from a Yahoo.com account through the service, to an account on a Linux Box. Running tcpdump, I received the email from my pop and let 5 minutes pass before opening it. I left the message open with the cursor in the text for another 5 minutes. Tcpdump revealed absolutely no questionable traffic. And, the service control panel indicated the email had not been viewed. Sending email to a Yahoo.com account results in a 'read' in the service CP. But I had the message open for 10 minutes, and it indicated a 2-minute read......"

The company's "How it works" page explains the system to some degree; it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address. I doubt this is mutt-compatible ... Reader xrxzzy points out USAToday's article on the service as well.

Link doesn't work

[fatwreckfan]

Here's a working link: http://www.didtheyreadit.com/.

How it 'works'

[ZiZ]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages. Here's an example of the image it adds:

<img src="http://didtheyreadit.com/index.php/worker?cod e=2f985e815bd2b46450e 07957611ab6c9" width="1" height="1" /> So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default. (It was nice enough to leave my plain-old-text message - "blah blah blah" - alone in the original format, as well as adding a text/html mangled version.)

Re:How it 'works'

[agm]

Evolution has this feature as well. I'm sure anyone internet savvy and aware of the spam problem would have a mail reader that prevents remote images from being displayed - which renders this service useless.

Re:How it 'works'

[RotJ]

Yahoo! and Hotmail also allow people to block all images until they explicitly approve them, so spammers can't track whether you've opened their spam. Didtheyreadit won't be able to either. So tracking for this service will be very spotty. For messages marked unread, you can NEVER know whether it was opened or not.

Re:How it 'works'

[amembleton]

This then allows their server to know when the mail was downloaded by the user without having to rely on images.

Unfortunatelly, I don't think it works like that. Their server will then send it to the users' server, or the mail server of their ISP or the mail sever of a webmail account such as Yahoo!, Gmail or Hotmail. Their server will send the message straight away, without any delay. The end user does not download the message from didtheyreadit.com sever, they download it from their usuall Yahoo! SMTP server or whatever their usuall mail server is.

Re:How it 'works'

[tigress]

Uhh, no. The recipient "downloads" their mail from their ISPs mailserver. There's nothing didtheyreadit.com can do to change that. What the extra ".didtheyreadit.com" does is simply being an email adress that forwards the mail to the recipients server, and adding a tracking-image to the mail.

Of course, if you don't believe me, please feel free to call my free 1-800 number and I'll explain it further. I promise not to redirect your call to an international $9.95/min number.

Re:How it 'works'

[alder]

...unless I decided to switch back to HTML.

Then you'll go to Tools -- Options... -- Advanced -- Privacy and make sure that "Block loading of remote images in mail messages" is checked. You'll gain nicely formatted messages (with images even if they are embedded) yet all remote images, that can track you, will be ignored.

Re:How it 'works'

[BuckaBooBob]

Not to mention if you have didtheyreadit.com in your hostfile with your loopback.

Re:How it 'works'

[darkonc]

I can't find such an option in Mozilla.

Edit ->
Preferences ->
Privacy & Security ->
Images ->
[checkbox] Do not load remote images in Mail and Newsgroup messages

It's probably the fact that it's under 'Privacy and Security', rather than 'Mail and news' that threw you.

Re:How it 'works'

[lostchicken]

Patent law cannot be circumvented with a clean-room designed algorithm. A lack of knowledge of the original source will not get you out of a patent suit, just copyright issues. So, if you are trying to make a web bug, you'd best read this and do something completely different, because no matter what, you can't use the above described technique without being in violation of IBM's patent. Not even if you came up with it all by yourself.

this is cool

[quelrods]

Well, it will tell you when they opened the email/how many times/etc. (assuming they have an html enabled email client.) It works w/ yahoo mail but not with pine. The infinite refresh to tell how long they read the email for is annoying in that it makes it look like the email never finished loading. Can someone see how outlook responds to this? (I haven't a windows box)

get your privacy back easily

[xlyz]

just set your mail client to not download images

Re:fp!

[TheViciousOverWind]

Nothing special, just "Webbug" images, which spamfilters such as SpamAssasin (in the default setting) adds point to as more likely to be spam, so using DidTheyReadIt users mail is more likely to end up in a spamfolder than any other type of mail.

On another note, I find it's walking on the thin red line of immoral behavior, and I know here in Denmark there've been several companies who've got bad publicity because of using said method.

Re:Single pixel gif?

[Neon+Spiral+Injector]

The time is probably calculated by not actually sending the image file, or sending it very slowly. So they just keep the HTTP session open, then note when the client closes. That would limit the tracking time to when the connection times out. Like the author said, he left the Yahoo mail open for 10 minutes and it only reported 2.

An additional note, Yahoo does have an option to disable remote images, which would also break this.

Seems this company is too late to the party. Almost all current e-mail clients now don't or have an option to not to load remote images.

It's an animated GIF!

It embeds a single pixel image, but it appears to keep feeding you the image forever, at a rate of a byte a second. Thus, if you use an HTML image reader that loads embedded graphics from random servers, they will know how long you had it open for.

Of course, if you use an email program that's that, umm, "open", they could just embed a trojan in it and add features like listening to what you say when you open the mail, and pictures of you reading it. :)

Re:Single pixel gif?

[ilikejam]

Yup. Confirmed.
At the bottom of the mail is:

<img src="http://didtheyreadit.com/index.php/worker?cod e=xxxxxxxxxxxxxxxxxxxxx" width="1" height="1" />

Oh well. Should prove very effective against those without the sense to turn off images anyway. Lets hear it for making money from people's ignorance!

Re:OE read receipts

[Ryquir]

Uhmm... you do understand that Mozilla and other E-mail client do actually have read receipts and that this isn't a "MS" standard?

The only difference in clients abilities with regards to read receipts is how they present you the uninformed user the dialog box saying "Sender has requested you inform them that you have read this message".

eeevviiilll!

[Gaima]

http://www.rampellsoft.com/, the people bringing you didtheyreadit looks to me like a really evil company.

software products to make your life on a computer easier and more efficient. by secretly spying on your spouse, kids and employees.
Oh, sorry, record, my bad.

/me goes back to kmail in text/plain by default, happy, safe, and in privacy.

This would fail with GMail

[tji]

By default, Google mail has images turned off. You have to click a link at the top of the message to force it to load the images.

Most other mailers also have a way to turn off image loading because spammers have been using this tracking technique for a long time. If mailers don't allow image blocking yet, I'm sure that a service like this will get them to add that trivial feature.

quick prevention of getting tracked by this...

[griffjon]

Not that I let my email client load images anyway, but just because I'm spiteful, I think I'll go add
"127.0.0.1 didthereadit.com" to my /etc/hosts file. (c:\windows\hosts in win98, C:\windows\system32\drivers\etc\ in XP, )

Better alternative

[mapinguari]

If you're wanting to use something along these lines, a more up-front company that doesn't use invisible web bugs is HaveTheyReadItYet.

They use images of stamps, which are customizable, which is kind of a cool idea.

However, this only available for Windows.

Easy fix...

[jafiwam]

just put:

127.0.0.1 didtheyreadit.com

In your hosts file...

Or put an authoritative zone in your DNS servers if you have access.

Done, no query reaches their server.

Yahoo and Hotmail image loading

[AzureLunatic]

Yahoo mail has the option to block all images from loading by default (not just in the sorted-as-spam bucket), warns the user when images are blocked from loading, and allows loading of images on a message-by-message basis.

However, this option must be hunted down and turned on.

Hotmail does one better, and allows you to block all images from loading by default, and set rules so certain senders' images will always load as well as viewing images in a piece of mail on a case-by-case basis.

Wonder how it compares with ReadNotify

[Krellan]

There is another company that claims to do this, ReadNotify.

It looks to be exactly the same kind of service as Didtheyreadit.com.

I first became aware of this company by reading Mozilla's bug report 28327 - http://bugzilla.mozilla.org/show_bug.cgi?id=28327 (cut/paste URL and open in new window).

Mozilla/Thunderbird also has trouble completely blocking all server contact in email, as it evidently doesn't sandbox the email environment enough (images may be blocked, but stylesheets and other external URL's can still leak through, last I checked).

BTW, there is a workaround if you use Mozilla/Thunderbird: set your View/Message Body As settings to "Simple HTML", or better yet, "Plain Text". This works 100%!

Tracking HTML e-mail without images or JavaScript

[Kent+Brewster]

You can do this without using an image or JavaScript, and give away nothing in the source of the message. Here's one way, using Apache, .htaccess, and PHP:

1) In the header of your HTML e-mail message, load up a style sheet:

<style type="text/css">
@import "http://your.server.com/your.css";
</style>

2) In the server directory containing your CSS file, add the following line to .htaccess:

AddType application/x-httpd-php .css

Any file ending in .css under this directory will now be run as if it were a PHP script.

3) Save this as your.css:

<?php
require "track_message.php";
?>

Done. No images, no JavaScript ... any reader that accepts HTML messages will trigger track_message.php, and nothing unusual will be visible in source code, even if some curious person pulls down http://your.server.com/your.css to take a look.