Thursday, March 09, 2006

Email add-ons

Many people have asked about confirmations that emails they sent were actually received and had to learn that there is no reliable way to check this even if some mailers offer "return receipt" features. For one reason they are not part of the RFC's starting with 822 that define the protocol used to transmit emails: They don't work. First, what consitutes 'receipt' of an email? The first host (in my case atdotde.de) receives the SMTP message? Well, from there it's forwarded to an account where I run my mail client (currently at DAMTP). So, the first host, that does local delivery instead of forwarding? Or the first program that opens the message (spamassasin in my case)? Or the perl-script I use to organise my mail folders? Or only a program that displays the message on a screen (mostly 'pine' in my case, but could be 'less' as well when things get rougher)?

The general recommendation is to ask the reader in the body of the message explicitly to reply to the message to confirm reading it. But even reading it does not always mean one understands it. So even better, do a quiz on the contents of the mail. But still, not getting the confirmation does not mean the message was not read.

But today, I learned of a company which offers the solution to this problem: You have to register with them and get an account (free for 10messages/month, $50 per year for 750messages/month). Then just add .didtheyreadit.com to any email address. This causes the email to be routed through their server where this part of the address is stripped and the message gets an html attachment with a link to an invisible picture (1x1 pixels transparent say) with a unique URL.

The idea is that your email client downloads the picture to display it and they know somebody opened the message in a picture aware browser.

I use pine which is text based and thus does not care about pictures. Thunderbird at least is concerned about my privacy and warns me it didn't download any pictures that were refered to in the message but not contained (note that spammers also use this trick to determine which of the addresses they succed of web pages are actually read and are not directly going into the bit bucket). Still nothing happens. But if I click to download the picture (or use another mail client that is not so careful about my privacy) the sender of the message gets this.

Upshot: If you recieve an email with an attachment that looks like

<br />
<br />
<div><img src="http://xpostmail.com/b8a6a2cd5cd9ff294ecdf69dbb55d469worker.jpg" nosend="1" name="dtri" width="1" height="1"><link href="http://xpostmail.com/b8a6a2cd5cd9ff294ecdf69dbb55d469.css" hreflang="dtri" rel="stylesheet" type="text/css"></div>

the sender spys on you!

3 comments:

Jacques Distler said...

This one is interesting because it not only tries to download an image, but also a CSS stylesheet. Be sure your client disables downloading of CSS stylesheets (in fact, the downloading of any external resource).

Also, make sure Javascript is disabled in your email client. Otherwise, it can achieve the same effect.

Robert said...

Using wget to download the image I discovered how they do the timing: Their webserver spits out the 301 byte it takes for the one pixel jpeg image exaclty one byte at a time, once per second (the downloadrate is pretty much 1 Byte/min).

Lumo said...

Dear Robert,

could I politely ask you to refrain from the kind of bitter and content-less criticism that you quite often post to my blog? Or was it you? I find it highly uninspiring and kind of annoying. Imagine that people would be writing such criticism under everything they find uninteresting about your blog.

Best
Lubos