Testing didtheyreadit.com's Mail-Tracking Claims

iosdaemon writes "didtheyreadit.com claims to be able to track your sent email: "When, exactly, your email was opened. How long your email remained opened. Where, geographically, your email was viewed. DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more." Read on for more. "This appears to be snake oil. I put it to test just in case someone had come up with some magical code. I sent email from a Yahoo.com account through the service, to an account on a Linux Box. Running tcpdump, I received the email from my pop and let 5 minutes pass before opening it. I left the message open with the cursor in the text for another 5 minutes. Tcpdump revealed absolutely no questionable traffic. And, the service control panel indicated the email had not been viewed. Sending email to a Yahoo.com account results in a 'read' in the service CP. But I had the message open for 10 minutes, and it indicated a 2-minute read......"

The company's "How it works" page explains the system to some degree; it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address. I doubt this is mutt-compatible ... Reader xrxzzy points out USAToday's article on the service as well.

Link doesn't work

[fatwreckfan]

Here's a working link: http://www.didtheyreadit.com/.

How it 'works'

[ZiZ]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages. Here's an example of the image it adds:

<img src="http://didtheyreadit.com/index.php/worker?cod e=2f985e815bd2b46450e 07957611ab6c9" width="1" height="1" /> So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default. (It was nice enough to leave my plain-old-text message - "blah blah blah" - alone in the original format, as well as adding a text/html mangled version.)

Re:How it 'works'

[jacobdp]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages.

And yet they claim that there's no way the recipient can know that the message is being tracked (see their FAQ) It may not be complete snake oil, but the company is definitely lying about the service's transparency.

And they route all your mail through their servers. I wouldn't be surprised if they soon started selling "pre-confirmed" email address lists.

Re:How it 'works'

[darkonc]

I can't find such an option in Mozilla.

Edit ->
Preferences ->
Privacy & Security ->
Images ->
[checkbox] Do not load remote images in Mail and Newsgroup messages

It's probably the fact that it's under 'Privacy and Security', rather than 'Mail and news' that threw you.

Re:How it 'works'

[ciggieposeur]

I found that browsers were cacheing them, so it wouldn't always register if it was viewed in a webmail acount.

PATENT ALERT

I am about to describe a patented technique. Seriously. If you ever think you're going to implement a web bug, do not read this or IBM will be able to sue you for treble damages.

Since a) I no longer work for IBM, and b) the method is on file in the patent, I am not violating my IP contract with IBM by describing this method.

.
.
.

PATENT ALERT

.
.
.

Method:

The way to defeat browser caching is to make the IMG SRC point to a CGI that returns a REDIRECT (302) that points to the single-pixel image. So you might have IMG SRC="server/path/to/cgi?key1=val1&key2=val2". The browser will have to tick the CGI because it has "dynamic" parameters. However, the CGI has to return a REDIRECT because an intelligent proxy server in the middle might be trying to cache the output too. You don't care if the single-pixel image itself is cached, you just want to capture the CGI hit with all the parameters.

Re:How it 'works'

[jonadab]

You're assuming he would prefer to view the message HTML-formatted rather than
in plaintext, which for most users who know the difference is not the case.

Viewing in plain text has the advantage of providing a consistent look and
feel for every message, always using the reader's preference for fonts and
colors, among other things. (There are a few exceptions, but most people
prefer the fonts and colors *they* like over the ones other people want them
to see, except in special circumstances such as when having a discussion
about fonts and colors.)

It's all moot for me; I use Gnus. Currently I have it set to only display
text/plain parts and show anything else as an attachment, which I can save
and view if I choose. This means HTML mail has the From and Subject fields
to convince me it's not spam. It's been years since I received an HTML
message that wasn't spam, incidentally, and I get a *lot* of mail. I do
sometimes receive multipart/alternative messages that aren't spam, but the
plain text part always shows fine in that case.

I *could* configure Gnus to display HTML parts, using W3, or to launch a
browser, such as Mozilla, but I choose not to configure it that way because
I prefer to view the plaintext alternative, and like I said it's been years
since I received an HTML-only message that wasn't unsolicited bulkmail.

Back to topic, the didtheygetit.com claim that the service works regardless
of what client the recipient uses is obviously not only bogus for their
specific product but in fact a totally impossible thing for any product to
deliver, unless the content is munged into a form that they are *unable*
to view without alerting you, such as an executable that unencrypts and
displays the text after phoning home -- but something like that would be so
odious to so many recipients that the sender would by using it be decreasing
significantly the chances that the message would be read at all, which would
rather defeat the purpose of the whole idea. In other words, it's an utterly
impossible thing to deliver. OTOH, they only claim it works in 98% of cases
and carefully qualify this saying "in our testing", which presumably means
they didn't test with geeks who use carefully selected high-quality mail
readers; they probably tested mostly with Outlook, two or three popular
webmail services, and maybe Eudora or Netscape. I can positively guarantee
that it would never work with Pegasus Mail (though pmail *does* support read
receipts, but only if the user has turned them on in the prefs; they're
off by default), and obviously it doesn't work with my particular config
of Gnus. (I don't know about a default Gnus config, but that's largely not
a significant issue since people who leave settings at their defaults don't
tend to use Gnus in the first place; it's very much geared toward people
who like to change lots of options.) Clearly it also wouldn't work with
mutt or pine or anything like that, and *obviously* it wouldn't work if
the user talks to the POP3 server directly (which I happen to have just
done yesterday, though I only looked at three or four messages that way,
and I'm atypical, being the maintainer of the Net::Server::POP3 module).

I can imagine that it might be useful to some people nonetheless, especially
in a largely homogenous corporate environment wherein it is predictable what
mail client everyone or almost everyone uses. But clearly they're very much
exaggerating (at best) when they claim it works irrespective of the client.

Re:How it 'works'

[MarkGriz]

No need to render it useless. The service seems pretty useless all by itself.

Lets Implement a Similar System

[KhalidBoussouara]

To see if people read the article before posting on Slashdot.

This post is a joke so don't moderate down. Also I am aware that this wouldn't be really effective.

Re:Lets Implement a Similar System

MOD PARENT DOWN. This wouldn't be effective mea...
aww crap.

Re:Definitely snake oil.

[E_elven]

There's a way to go off line? What does one do in this 'off-line' state?

It's an animated GIF!

It embeds a single pixel image, but it appears to keep feeding you the image forever, at a rate of a byte a second. Thus, if you use an HTML image reader that loads embedded graphics from random servers, they will know how long you had it open for.

Of course, if you use an email program that's that, umm, "open", they could just embed a trojan in it and add features like listening to what you say when you open the mail, and pictures of you reading it. :)

Re:Single pixel gif?

[ilikejam]

Yup. Confirmed.
At the bottom of the mail is:

<img src="http://didtheyreadit.com/index.php/worker?cod e=xxxxxxxxxxxxxxxxxxxxx" width="1" height="1" />

Oh well. Should prove very effective against those without the sense to turn off images anyway. Lets hear it for making money from people's ignorance!

Re:OE read receipts

[Ryquir]

Uhmm... you do understand that Mozilla and other E-mail client do actually have read receipts and that this isn't a "MS" standard?

The only difference in clients abilities with regards to read receipts is how they present you the uninformed user the dialog box saying "Sender has requested you inform them that you have read this message".

eeevviiilll!

[Gaima]

http://www.rampellsoft.com/, the people bringing you didtheyreadit looks to me like a really evil company.

software products to make your life on a computer easier and more efficient. by secretly spying on your spouse, kids and employees.
Oh, sorry, record, my bad.

/me goes back to kmail in text/plain by default, happy, safe, and in privacy.

This would fail with GMail

[tji]

By default, Google mail has images turned off. You have to click a link at the top of the message to force it to load the images.

Most other mailers also have a way to turn off image loading because spammers have been using this tracking technique for a long time. If mailers don't allow image blocking yet, I'm sure that a service like this will get them to add that trivial feature.

quick prevention of getting tracked by this...

[griffjon]

Not that I let my email client load images anyway, but just because I'm spiteful, I think I'll go add
"127.0.0.1 didthereadit.com" to my /etc/hosts file. (c:\windows\hosts in win98, C:\windows\system32\drivers\etc\ in XP, )

Depressing...

[Gutboy_Barrelhouse]

Does anyone else find it depressing that the entire privacy issue this service (creates? no... inflames?) hinges on the fact that 99% of Internet users probably don't know whether they're reading email as HTML or plain text?

Re:No good

[Z-MaxX]

Unless it works for every single message it's no good.

So true. And this is straight from their main page:

"Are you as sick of getting the "I never got your email." line as I was? This will eliminate that excuse completely. It really lets you know whom you're dealing with."

Now you simply say, "My spam filter blocks images." And you may have a reason then to think that the person who sent you the message doesn't trust you.

You can't solve a people problem with technology.

Re:get your privacy back easily

[Pike65]

How do I do that in pine?

It's a scam, and here's how I know

[BillX]

I have identified this service to be a scam using the "superfluous female person standing next to logo" method. I'm still wondering where her headset went, though...