As a follow-up to an article I wrote earlier this year on the perils of HTML e-mail, today I’m looking at how to defeat e-mail tracking services that use Web bugs.
Web bugs are very small (often only one pixel) images on a Web site; HTML e-mail that includes the URL for these tiny images can record who opened the e-mail message at what time. If there is an instruction requiring automatic refresh of the image as part of the HTML code, is even possible to tell how long the e-mail message was left open on screen.
The service from DidTheyReadIt uses precisely this approach. As described on its Web site, users append “.didtheyreadit.com” to the e-mail address of someone whose e-mail reading habits they want to monitor. The company's servers convert messages to HTML, add a Web bug, and send your converted message to its destination. When a recipient using an HTML-tolerant e-mail reader opens or even previews the spyware-equipped document, the company's servers record when the Web bug was downloaded, the IP address of the reader, and how long the file was kept open. This information is then sent to the sender in an e-mail message.
Similar services are provided by MSGTAG and by ReadNotify.
Evidently, this entire system depends on HTML e-mail. In addition to the clumsy method of disconnecting from the ‘Net before opening HTML e-mail, there are already simple tools that destroy this functionality at little or no cost.
Wizard Industries makes Email-Tracking Blocker and sells it for $2.99, including a year of updates:
This 370K-byte utility needs to be run only once. According to the manufacturer, it works with any e-mail service and blocks all tracking services.
Email Sentinel Pro from DSDevelopment is freeware for individuals (non-commercial use) and shareware for corporations ($14.95 per seat):
This 815K-byte utility runs in the background to convert HTML e-mail messages into plain ASCII. It can be configured to handle attachments, can keep the original HTML messages in a quarantine buffer in case they are needed, can log its activities, works with any e-mail client, includes whitelist and contact-import, and requires no user interaction once it’s running. I tested this product and found that it worked fine with one of my e-mail accounts (an IMAP server) but failed with my backup account (a POP3 server). Not only was the message converted to plain text, but an embedded JPG image was converted to an attachment - very convenient and perfectly safe.
For the time being, this suits me fine; I suppose that the inventors will eventually fix bugs that crop up, especially as organizations cough up their $14.95 donations if they are satisfied with the product.
So if you are not keen on having people watch whether you have opened their e-mail messages without telling you that they are doing so, you don’t have to stand for it - and it won’t cost much or anything to try these defensive tools.
Disclaimers: I have no financial involvement with any of the companies named in this article. Mention of a product should not be interpreted as an endorsement; omission of a product is not intended as criticism.
Learn more about this topicHTML e-mail not worth the risk
Network World Security Newsletter, 05/18/04Opinion: How DidTheyReadIt does it
Network World, 06/14/04Opinion: Feedback on Ducky and defeating DidTheyReadIt
Network World, 06/28/04Web bugs and cookies considered illegal
Network World Web Applications Newsletter, 07/14/04Center for Democracy & Technology: Spyware links