Slashdot Mirror

← Back to Stories (view on slashdot.org)

User Not Found, Email Drops Silently

Posted by timothy on from the silent-but-obnoxious dept.

shervinafshar writes with an International Herald Tribune story explaining just why it is failed emails don't always result in a helpful error message for the sender, which also gives some insight into ways that email can be used to spy on recipients. "In last lines of the article, two companies are introduced which provide services that can 'spy' on your email reading habits. They also can 'call home' too: 'Some entrepreneurs have seen that uncertainty and offered senders the ability to obtain receipts that a given message has been read — without the recipient knowing that a confirmation has been sent back to the sender. ReadNotify, based in Queensland, Australia, started in 2000 and promised to report not only on whether a message was read, but also on how long it was opened for reading on the recipient's PC. It can also send the message in "self-destructing" form, preventing forwarding, printing, copying and saving.' IHT also is asking its readers to comment about these kind of services being against user privacy."

14 of 292 comments (clear)

  1. more importantly, by Escogido · · Score: 5, Interesting

    it primarily depends upon the recipients who don't know any better than to use all sorts of unsafe mail clients who allow such tricks to be played on them. as long as these comprise the majority, that business model is sustainable.

    so this is not a privacy issue but a security issue.. and it's much older than 2000.

  2. Re:Remote images? by rm999 · · Score: 4, Interesting

    As far as I am aware, Gmail was the first mainstream e-mail service/client that did not load remote images automatically. Before then, these tracking products were plausible, but fortunately most clients I am aware of have followed suit and ruined the business plan.

    Now, the only way to truly track e-mails is to request the user click on a link to an external website to read the message. I don't know many people who would do this without suspicion.

  3. Re:Why it can't work by Just+some+bastard · · Score: 4, Interesting

    Here's a good summary of why such plans won't work:
    Here's another one: http://www.sox-online.com/act_section_802.html
  4. Blacklisting the abusers by Arrogant-Bastard · · Score: 5, Interesting
    It is clear that readnotify and their ilk are engaged in abusive activities: we would not tolerate the equivalent with snail-mail, and so we should of course not tolerate it with email, either. These abusers are only one step removed from spam and spyware, and should therefore of course be blacklisted permanently.

    I therefore recommend blacklisting (in your MTA and web proxy) readnotify.com, pointofmail.com, e-mail-servers.com, didtheyreadit.com, mailinfo.com, and msgtag.com. I welcome any additions to this list.

    I should also mention that those who use superior mail clients -- e.g., mutt -- can avoid being spied on by these abusers. I strongly recommend using such clients, or configuring other lesser clients so that they do not cooperate.

    1. Re:Blacklisting the abusers by fuzzyfuzzyfungus · · Score: 2, Interesting

      One might also point out the threat that such services as these can pose to the sender of the message. From a quick look at ReadNotify's instruction page, it looks like you append .readnotify.com to the email address you wish to send mail to. From an ease of use standpoint this is quite cute. However, unless I am very much mistaken, your email will actually be sent to "originalusername"@originaldomain.readnotify.com Presumably, readnotify has their systems set up to accept such odd emails and then process them and send them out to the original recipient

      This means that ReadNotify gets a copy of everything that you track with them, as well as all the tracking information. Definitely nothing that could ever be a problem; its not as though the legalities of multinational transfers of legally privileged data are complex or anything, right?

      Also, as an aside, it would be amusing to see how well Readnotify has protected itself against abuse. There is no mention in their FAQ or instructions of changing SMTP configuration, or any sort of authentication, except when logging in to the web page, to check tracking status. If naively implemented, their system will simply send an email to any chosen target in response to receiving an email with the correctly formatted destination address.
      target@targetdomain.foo.readnotify.com
      I wonder how, and how well, they verify the sender of an email... Especially seeing that, if you get an email with ReadNotify stuff embedded in it, you know the person who sent it has a valid ReadNotify account. Wouldn't want anything bad to happen

  5. Re:Remote images? by Kalriath · · Score: 4, Interesting

    Is there actually an email client that runs Javascript? Even recent versions of Outlook wont (and even can't - Word has no Javascript interpreter!) and I'm sure that Thunderbird wouldn't be that stupid.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  6. These services are weak, some aren't. by fuzzyfuzzyfungus · · Score: 2, Interesting

    The services discussed in TFA look like seriously weak sauce. Like anything that doesn't monkey with the recipient's system, they can be defeated by not loading external material, not executing javascript, and so on.

    The more dangerous class of trackers are those that do operate on the recipient's system. In principle those can be defeated, just as DRM systems can; but doing so may be substantially challenging, particularly for joe user. Luckily, requiring the recipient to install a program of some sort just to view an email is pretty inconvenient, so these aren't commonly used; but if an entity that you pretty much have to interact with(employer, distance education system, government, etc.) took up using such a system, there would be a serious danger.

  7. CYA by fishthegeek · · Score: 5, Interesting

    I use readnotify. Not on every email, but some important ones. Since I have to deal with continuing education and am constantly taking classes I find that readnotify is useful for covering my ass.

    True story, I took an online course in Fall 07. I submitted my final to the prof. via email at his request. Neither the email or the attachment was ever opened and readnotify is extremely reliable for this particular prof. I still got a 4.0 so I'm not complaining.

    --
    load "$",8,1
  8. Re:Remote images? by CastrTroy · · Score: 2, Interesting

    They use images for the entire email, because Outlook 2007, to name just one of many email clients, is completely incapable of rendering anything outside of extremely basic HTML. Using a bunch of images arranged in a table is the best way to assure your nicely designed email newsletter/adleter won't be mangled by the email client.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. Re:Remote images? by afidel · · Score: 4, Interesting

    Here's a way to do hypertargeted tracking to a gmail client, buy an adword for some made up many character 'word' like asdjhfgkjbadjghiougscvo and then include it at the end of or embedded in the html of an email. Then just view the stats on the adword. If you are smart enough there is generally a way to do things to the majority of people who are non-paranoid. Personally that's why I like things like Mozilla and Thunderbird, their defaults are set by people who ARE paranoid =)

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  10. Re:Remote images? by thePowerOfGrayskull · · Score: 3, Interesting

    I understand the reasoning for it, but that doesn't make it any less irritating as a practice. The fact is that anybody who is reasonably security conscious will - at minimum - disable image rendering and javascript in their email client. So when an entire email consists of external images and terribly formatted links, the sender pretty much shoots him/herself in the foot.

  11. email image tracking by geoff_smith82 · · Score: 4, Interesting

    Several years ago, I helped save someone some money by tracking where a particular person actually was via email. Realizing a tracking image in an email was unreliable, I also added a tracking image into a word document... which doesn't have any protection against loading images from remote servers.

    Long story short - the person was on the other side of the world to where they were claiming to be based on their IP address.

  12. ELM by marcovje · · Score: 2, Interesting

    Makes you wonder why people abandonned ELM :-)

  13. Re:Remote images? by grolaw · · Score: 2, Interesting

    Eudora - my old friend, won't load any of that crap and can be set to respond to a "return receipt" request from Outlook as "now" "later" "Never" - always had fun with that feature....

    But, seriously - if you are using a mail application that does "blindly" support HTML and resides on your desktop/laptop the weasel sending you email will have your MAC and IP address. Consider being in your "lover's" home / business when that email hits your laptop - now the spouse has you located.

    The Feds and some state police agencies are capable of tracking your cell - but a 1 pixel image buried in your email is the poor man's homing beacon. They will know close to where you are and when you opened the message.

    Perhaps web-based email like Gmail (accessing it through SSL) is the only real defense if you have to be able to read email with images imbedded in the message.