Testing didtheyreadit.com's Mail-Tracking Claims

iosdaemon writes "didtheyreadit.com claims to be able to track your sent email: "When, exactly, your email was opened. How long your email remained opened. Where, geographically, your email was viewed. DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more." Read on for more. "This appears to be snake oil. I put it to test just in case someone had come up with some magical code. I sent email from a Yahoo.com account through the service, to an account on a Linux Box. Running tcpdump, I received the email from my pop and let 5 minutes pass before opening it. I left the message open with the cursor in the text for another 5 minutes. Tcpdump revealed absolutely no questionable traffic. And, the service control panel indicated the email had not been viewed. Sending email to a Yahoo.com account results in a 'read' in the service CP. But I had the message open for 10 minutes, and it indicated a 2-minute read......"

The company's "How it works" page explains the system to some degree; it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address. I doubt this is mutt-compatible ... Reader xrxzzy points out USAToday's article on the service as well.

Link doesn't work

[fatwreckfan]

Here's a working link: http://www.didtheyreadit.com/.

How it 'works'

[ZiZ]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages. Here's an example of the image it adds:

<img src="http://didtheyreadit.com/index.php/worker?cod e=2f985e815bd2b46450e 07957611ab6c9" width="1" height="1" /> So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default. (It was nice enough to leave my plain-old-text message - "blah blah blah" - alone in the original format, as well as adding a text/html mangled version.)

Re:How it 'works'

[amembleton]

From the 'How It Works' page: Will my recipient know that I am tagging my e-mail?
No. Not unless you want them to know.

As I suspected, they are just using a tracking image, sometimes I look at the source of messages (sad, I know), then I would know if I was being tracked. That saves me opening an account to see how they were going to do this.

I always view my email as Plain Text using Mozilla, so this wouldn't work unless I decided to switch back to HTML. I made some of these tracking images once and tried it out. I found that browsers were cacheing them, so it wouldn't always register if it was viewed in a webmail acount.

Re:How it 'works'

[jacobdp]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages.

And yet they claim that there's no way the recipient can know that the message is being tracked (see their FAQ) It may not be complete snake oil, but the company is definitely lying about the service's transparency.

And they route all your mail through their servers. I wouldn't be surprised if they soon started selling "pre-confirmed" email address lists.

Re:How it 'works'

[RotJ]

Yahoo! and Hotmail also allow people to block all images until they explicitly approve them, so spammers can't track whether you've opened their spam. Didtheyreadit won't be able to either. So tracking for this service will be very spotty. For messages marked unread, you can NEVER know whether it was opened or not.

Re:How it 'works'

[amembleton]

This then allows their server to know when the mail was downloaded by the user without having to rely on images.

Unfortunatelly, I don't think it works like that. Their server will then send it to the users' server, or the mail server of their ISP or the mail sever of a webmail account such as Yahoo!, Gmail or Hotmail. Their server will send the message straight away, without any delay. The end user does not download the message from didtheyreadit.com sever, they download it from their usuall Yahoo! SMTP server or whatever their usuall mail server is.

Re:How it 'works'

[tigress]

Uhh, no. The recipient "downloads" their mail from their ISPs mailserver. There's nothing didtheyreadit.com can do to change that. What the extra ".didtheyreadit.com" does is simply being an email adress that forwards the mail to the recipients server, and adding a tracking-image to the mail.

Of course, if you don't believe me, please feel free to call my free 1-800 number and I'll explain it further. I promise not to redirect your call to an international $9.95/min number.

Re:How it 'works'

[antic]

A typical user would not know that a web bug was in place and the typical users are exactly who they're trying to get to buy into the service.

You and I might ignore their attempts, but there are a hell of a lot of people out there who would like the sales pitch, the 5 free samples/tests and spend the money to use the service. For the most part, they'll be emailing people without mutt and the service may just work (more or less) as described.

Where I would have an issue is with the small percentage of emails that they can't track due to clients forcing text only mail. If a user was to build a strong reliance on this service, they would only assume that the receiver had never even read their email when in actual fact they could've opened it in a text-only client and pored over it for days!

And the privacy issues are astounding -- they would essentially get every copy of email sent through their system -- personal information and details, etc. If you care enough about the information you're sending to want to know if the receivee will read it, then you can bet that this company may care enough about the content too...

Re:How it 'works'

[orthogonal]

So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default

Let's be even more sensible: your firewall rules should allow your email client to make connections to your mail server ONLY, and only to its ports 110 and 25 (I'm assuming POP3; IMAP would be other orts).

(Not for linux users: Microsoft Windows firewalls typically allow setting rules separately for separate applications, by associating a process name (and in serious firewalls, the executable's MD5 sum) with the process requesting the connection.)

This takes care of all web bugs, inline images, and javascript pop-ups or Active-x in Microsoft HTML email.

Note that with any sensible email client, this won't block html links, as clicking an html link should invoke a separate browser application, with its own firewall rules.

It will block linked (not inline) images, but only a very small minority of email linked images that are at all useful to view -- in this case I just save the email as html and open in a web browser.

Re:How it 'works'

[darkonc]

I can't find such an option in Mozilla.

Edit ->
Preferences ->
Privacy & Security ->
Images ->
[checkbox] Do not load remote images in Mail and Newsgroup messages

It's probably the fact that it's under 'Privacy and Security', rather than 'Mail and news' that threw you.

Re:How it 'works'

[ciggieposeur]

I found that browsers were cacheing them, so it wouldn't always register if it was viewed in a webmail acount.

PATENT ALERT

I am about to describe a patented technique. Seriously. If you ever think you're going to implement a web bug, do not read this or IBM will be able to sue you for treble damages.

Since a) I no longer work for IBM, and b) the method is on file in the patent, I am not violating my IP contract with IBM by describing this method.

.
.
.

PATENT ALERT

.
.
.

Method:

The way to defeat browser caching is to make the IMG SRC point to a CGI that returns a REDIRECT (302) that points to the single-pixel image. So you might have IMG SRC="server/path/to/cgi?key1=val1&key2=val2". The browser will have to tick the CGI because it has "dynamic" parameters. However, the CGI has to return a REDIRECT because an intelligent proxy server in the middle might be trying to cache the output too. You don't care if the single-pixel image itself is cached, you just want to capture the CGI hit with all the parameters.

Re:How it 'works'

[jonadab]

You're assuming he would prefer to view the message HTML-formatted rather than
in plaintext, which for most users who know the difference is not the case.

Viewing in plain text has the advantage of providing a consistent look and
feel for every message, always using the reader's preference for fonts and
colors, among other things. (There are a few exceptions, but most people
prefer the fonts and colors *they* like over the ones other people want them
to see, except in special circumstances such as when having a discussion
about fonts and colors.)

It's all moot for me; I use Gnus. Currently I have it set to only display
text/plain parts and show anything else as an attachment, which I can save
and view if I choose. This means HTML mail has the From and Subject fields
to convince me it's not spam. It's been years since I received an HTML
message that wasn't spam, incidentally, and I get a *lot* of mail. I do
sometimes receive multipart/alternative messages that aren't spam, but the
plain text part always shows fine in that case.

I *could* configure Gnus to display HTML parts, using W3, or to launch a
browser, such as Mozilla, but I choose not to configure it that way because
I prefer to view the plaintext alternative, and like I said it's been years
since I received an HTML-only message that wasn't unsolicited bulkmail.

Back to topic, the didtheygetit.com claim that the service works regardless
of what client the recipient uses is obviously not only bogus for their
specific product but in fact a totally impossible thing for any product to
deliver, unless the content is munged into a form that they are *unable*
to view without alerting you, such as an executable that unencrypts and
displays the text after phoning home -- but something like that would be so
odious to so many recipients that the sender would by using it be decreasing
significantly the chances that the message would be read at all, which would
rather defeat the purpose of the whole idea. In other words, it's an utterly
impossible thing to deliver. OTOH, they only claim it works in 98% of cases
and carefully qualify this saying "in our testing", which presumably means
they didn't test with geeks who use carefully selected high-quality mail
readers; they probably tested mostly with Outlook, two or three popular
webmail services, and maybe Eudora or Netscape. I can positively guarantee
that it would never work with Pegasus Mail (though pmail *does* support read
receipts, but only if the user has turned them on in the prefs; they're
off by default), and obviously it doesn't work with my particular config
of Gnus. (I don't know about a default Gnus config, but that's largely not
a significant issue since people who leave settings at their defaults don't
tend to use Gnus in the first place; it's very much geared toward people
who like to change lots of options.) Clearly it also wouldn't work with
mutt or pine or anything like that, and *obviously* it wouldn't work if
the user talks to the POP3 server directly (which I happen to have just
done yesterday, though I only looked at three or four messages that way,
and I'm atypical, being the maintainer of the Net::Server::POP3 module).

I can imagine that it might be useful to some people nonetheless, especially
in a largely homogenous corporate environment wherein it is predictable what
mail client everyone or almost everyone uses. But clearly they're very much
exaggerating (at best) when they claim it works irrespective of the client.

Re:How it 'works'

[MarkGriz]

No need to render it useless. The service seems pretty useless all by itself.

Re:How it 'works'

[ip_fired]

There is a problem with SpamAssassin in that you can get around the little web-bug feature with a little setup on the server side. If the spammer were smart, they would use mod_rewrite to change the url from:

http://spammerserver.com/cgi-bin/redirect.pl?id= [m d5sum]

to:

http://spammerserver.com/images/[md5sum]/image.j pg

Apache then takes the a out of the url, rewrites it, and redirects it to a script which then records the hit from the user and notes that this address is valid.

Spam filters out there need to find a good way of detecting unique identifiers that can be used to track a user.

I'm personally moving towards the scorched earth method with my personal e-mail account. Blcok everything that isn't on my whitelist. If I know you, you're on my whitelist. It's certainly not the best method, but I hate spam.

Re:How it 'works'

[lostchicken]

Patent law cannot be circumvented with a clean-room designed algorithm. A lack of knowledge of the original source will not get you out of a patent suit, just copyright issues. So, if you are trying to make a web bug, you'd best read this and do something completely different, because no matter what, you can't use the above described technique without being in violation of IBM's patent. Not even if you came up with it all by yourself.

Definitely snake oil.

[jcr]

All I have to do is read my mail when I'm not on line.

Nothing to see here, nothing at all.

-jcr

Re:Definitely snake oil.

[E_elven]

There's a way to go off line? What does one do in this 'off-line' state?

this is cool

[quelrods]

Well, it will tell you when they opened the email/how many times/etc. (assuming they have an html enabled email client.) It works w/ yahoo mail but not with pine. The infinite refresh to tell how long they read the email for is annoying in that it makes it look like the email never finished loading. Can someone see how outlook responds to this? (I haven't a windows box)

Re:this is cool

[quelrods]

woops forgot to add it's direction finding skills are weak. Apparantly I'm in Michigan? I'm in Austin,TX and my POP is chicago. It appears to try to get information via one of the upstream links which is horribly inaccurate.

Lets Implement a Similar System

[KhalidBoussouara]

To see if people read the article before posting on Slashdot.

This post is a joke so don't moderate down. Also I am aware that this wouldn't be really effective.

Re:Lets Implement a Similar System

MOD PARENT DOWN. This wouldn't be effective mea...
aww crap.

Single pixel gif?

[ilikejam]

Sounds to me like they just embed a simgle pixel gif in the message, and monitor when they recieve the request for it.
How they monitor the length of time the mail stays open is a bit of a mystery.
Turn off 'Download images' and I'd imagine their system becomes useless.
Wasn't there a scare about spam merchants doing this once?

Re:Single pixel gif?

[Neon+Spiral+Injector]

The time is probably calculated by not actually sending the image file, or sending it very slowly. So they just keep the HTTP session open, then note when the client closes. That would limit the tracking time to when the connection times out. Like the author said, he left the Yahoo mail open for 10 minutes and it only reported 2.

An additional note, Yahoo does have an option to disable remote images, which would also break this.

Seems this company is too late to the party. Almost all current e-mail clients now don't or have an option to not to load remote images.

Re:Single pixel gif?

[ilikejam]

Yup. Confirmed.
At the bottom of the mail is:

<img src="http://didtheyreadit.com/index.php/worker?cod e=xxxxxxxxxxxxxxxxxxxxx" width="1" height="1" />

Oh well. Should prove very effective against those without the sense to turn off images anyway. Lets hear it for making money from people's ignorance!

Re:Single pixel gif?

[Neon+Spiral+Injector]

I just tested, they send an image/jpeg with a header not specifying the length at 1 byte/second. But it is only 302 bytes long, so they can't track for more than 5 minutes. It is a real JPEG, 1x1 pixels, created with an Adobe product.

get your privacy back easily

[xlyz]

just set your mail client to not download images

Re:get your privacy back easily

[Pike65]

How do I do that in pine?

Why not do it yourself

[Crashmarik]

If the recipient is using a text based email program theres no way in heck anything is going to track whether the mail was opened or read. If its an HTML reader like Outlook just pop a web beacon and let your server monitor it. If you can't figure out how to make this work yourself, you probably shouldn't be allowed to go spying on others anyway.

Re:fp!

[TheViciousOverWind]

Nothing special, just "Webbug" images, which spamfilters such as SpamAssasin (in the default setting) adds point to as more likely to be spam, so using DidTheyReadIt users mail is more likely to end up in a spamfolder than any other type of mail.

On another note, I find it's walking on the thin red line of immoral behavior, and I know here in Denmark there've been several companies who've got bad publicity because of using said method.

It's an animated GIF!

It embeds a single pixel image, but it appears to keep feeding you the image forever, at a rate of a byte a second. Thus, if you use an HTML image reader that loads embedded graphics from random servers, they will know how long you had it open for.

Of course, if you use an email program that's that, umm, "open", they could just embed a trojan in it and add features like listening to what you say when you open the mail, and pictures of you reading it. :)

Re:OE read receipts

[Ryquir]

Uhmm... you do understand that Mozilla and other E-mail client do actually have read receipts and that this isn't a "MS" standard?

The only difference in clients abilities with regards to read receipts is how they present you the uninformed user the dialog box saying "Sender has requested you inform them that you have read this message".

I'M RICH!!

[nacturation]

Now I'm going to finally get Bill Gates and tons of other companies to finally pay up!

eeevviiilll!

[Gaima]

http://www.rampellsoft.com/, the people bringing you didtheyreadit looks to me like a really evil company.

software products to make your life on a computer easier and more efficient. by secretly spying on your spouse, kids and employees.
Oh, sorry, record, my bad.

/me goes back to kmail in text/plain by default, happy, safe, and in privacy.

This would fail with GMail

[tji]

By default, Google mail has images turned off. You have to click a link at the top of the message to force it to load the images.

Most other mailers also have a way to turn off image loading because spammers have been using this tracking technique for a long time. If mailers don't allow image blocking yet, I'm sure that a service like this will get them to add that trivial feature.

quick prevention of getting tracked by this...

[griffjon]

Not that I let my email client load images anyway, but just because I'm spiteful, I think I'll go add
"127.0.0.1 didthereadit.com" to my /etc/hosts file. (c:\windows\hosts in win98, C:\windows\system32\drivers\etc\ in XP, )

Depressing...

[Gutboy_Barrelhouse]

Does anyone else find it depressing that the entire privacy issue this service (creates? no... inflames?) hinges on the fact that 99% of Internet users probably don't know whether they're reading email as HTML or plain text?

mwahaha

Devious suggestion: Buy misspellings of their domain, then capture all emails you receive. Hours of fun!

Re:No good

[Z-MaxX]

Unless it works for every single message it's no good.

So true. And this is straight from their main page:

"Are you as sick of getting the "I never got your email." line as I was? This will eliminate that excuse completely. It really lets you know whom you're dealing with."

Now you simply say, "My spam filter blocks images." And you may have a reason then to think that the person who sent you the message doesn't trust you.

You can't solve a people problem with technology.

Better alternative

[mapinguari]

If you're wanting to use something along these lines, a more up-front company that doesn't use invisible web bugs is HaveTheyReadItYet.

They use images of stamps, which are customizable, which is kind of a cool idea.

However, this only available for Windows.

SPAMMERS, perhaps?

[whoever57]

A whois on didtheyreadit.com shows an address in Florida.

Wouldn't this be a great way to harvest thousands or millions of known good email addresses?

The TOS only states that they will not store the emails -- yet their own logs will contain the email addresses. There is nothing in the TOS that explicitly prevents them from using those addresses.

Good for them, and us.

[tigress]

In my personal opinion, I think this might actually be a good thing. Considering the fact that didtheyreadit.com uses external images for tracking, and that they're getting a whole bunch of publicity right now (partially due to this very article), this is just another reason for email clients to block external images by default - spam apparently not being a big enough reason yet.

With a bit of luck, this will make more sites and clients want to implement image blocking, which will in turn make it harder for spammers to get their messages across.

Spam is merely an annoyance to most people. Privacy issues are not. :)

DNS fun...

[AVee]

Looks like they've got a wildcard mx record:

# host -t mx aol.com.didtheyreadit.com
aol.com.didtheyreadit.c om mail is handled by 10 mail.cluster1.didtheyreadit.com.
host -t mx lsdkfjksdlfjklsdjf.didtheyreadit.com
lsdkfjksdlfj klsdjf.didtheyreadit.com mail is handled by 10 mail.cluster1.didtheyreadit.com.

Now whould you like to pay for an email service that doesn't even have a fallback mailserver and is likely be busy handling mail for info@didtheyreadit.com.didtheyreadit.com.didtheyre adit.com.didtheyreadit.com.didtheyreadit.com

# host -t mx didtheyreadit.com.didtheyreadit.com.didtheyreadit. com.didtheyreadit.com.didtheyreadit.com
didtheyre adit.com.didtheyreadit.com.didtheyreadit.com.didth eyreadit.com.didtheyreadit.com mail is handled by 10 mail.cluster1.didtheyreadit.com.

Re:Smoke and mirrors

[DaHat]

And now we all DoS their site as we try to load that image to see if it really does work...

It seems to be good, just an awful slow load (which no doubt is intentional to measure the length of your 'reading' of the e-mail).

Easy fix...

[jafiwam]

just put:

127.0.0.1 didtheyreadit.com

In your hosts file...

Or put an authoritative zone in your DNS servers if you have access.

Done, no query reaches their server.

Big problem: instant open relay

[bigberk]

I signed up for a free account. It does work, it's fast and convenient enough. But there's a major problem...

INSTANT OPEN RELAY.

All a spammer has to do is forge their From address (the only means of relay authentication!) and append .didtheyreadit.com to any victim address, and dtri1.rampellsoft.com will relay the message to the victim. I'd say this service has a 10% chance of survival.

"Every single internet provider"?

[Megane]

DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more.

Guess what folks. There's no law that says you have to let a megacorp run your e-mail. With a fixed IP and a 24/7 server, you can run your own server. (Though, admittedly, it's not something a novice can make work.)

All this is is simple "web bug" HTML IMG link spying. Anyone with any kind of sense has configured their e-mail client to not automatically download remote images. Or even to not display HTML crap at all. And please don't tell me that they use Javashi^H^Hcript, because that means there's a brain-damaged popular e-mail program out there that allows it (or a webmail site that doesn't filter it). All we need is another way for e-mail to run wild code.

Is anyone else getting a flashback to the all the stupid ideas that would burn through millions of dollars in VC cash back in the dot-com bubble days?

It's a scam, and here's how I know

[BillX]

I have identified this service to be a scam using the "superfluous female person standing next to logo" method. I'm still wondering where her headset went, though...