Testing didtheyreadit.com's Mail-Tracking Claims

iosdaemon writes "didtheyreadit.com claims to be able to track your sent email: "When, exactly, your email was opened. How long your email remained opened. Where, geographically, your email was viewed. DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more." Read on for more.

"This appears to be snake oil. I put it to test just in case someone had come up with some magical code. I sent email from a Yahoo.com account through the service, to an account on a Linux Box. Running tcpdump, I received the email from my pop and let 5 minutes pass before opening it. I left the message open with the cursor in the text for another 5 minutes. Tcpdump revealed absolutely no questionable traffic. And, the service control panel indicated the email had not been viewed. Sending email to a Yahoo.com account results in a 'read' in the service CP. But I had the message open for 10 minutes, and it indicated a 2-minute read......"

The company's "How it works" page explains the system to some degree; it involves redirecting all mail to be tracked through their servers by appending "didtheyreadit.com" to your recipient's email address. I doubt this is mutt-compatible ... Reader xrxzzy points out USAToday's article on the service as well.

Link doesn't work

[fatwreckfan]

Here's a working link: http://www.didtheyreadit.com/ [didtheyreadit.com].

How it 'works'

[ZiZ]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages. Here's an example of the image it adds:

<img src="http://didtheyreadit.com/index.php/worker?cod e=2f985e815bd2b46450e 07957611ab6c9" width="1" height="1" /> So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default. (It was nice enough to leave my plain-old-text message - "blah blah blah" - alone in the original format, as well as adding a text/html mangled version.)

Re:How it 'works'

[agm]

Evolution has this feature as well. I'm sure anyone internet savvy and aware of the spam problem would have a mail reader that prevents remote images from being displayed - which renders this service useless.

Re:How it 'works'

[eSavior]

Mozilla Thunderbird has the same feature, 1.tools->options...->advanced->privacy 2.check "Block loading of remote images in mail messages." 3.press okay

Re:How it 'works'

[thrillseeker]

Mozilla Thunderbird has the same feature

Mozilla-Thunderbird needs to make their version more like Evolution's, which has the option of allowing inline images from addresses you have put into your address book.

Re:How it 'works'

[byolinux]

Mail.app under OS X also has this.

Open a Terminal...

defaults write com.apple.mail PreferPlainText -bool TRUE

Voila, any stupid HTML email will be displayed as text only.

Re:How it 'works'

[MarkGriz]

No need to render it useless. The service seems pretty useless all by itself.

Re:How it 'works'

[amembleton]

From the 'How It Works' page: Will my recipient know that I am tagging my e-mail?
No. Not unless you want them to know.

As I suspected, they are just using a tracking image, sometimes I look at the source of messages (sad, I know), then I would know if I was being tracked. That saves me opening an account to see how they were going to do this.

I always view my email as Plain Text using Mozilla, so this wouldn't work unless I decided to switch back to HTML. I made some of these tracking images once and tried it out. I found that browsers were cacheing them, so it wouldn't always register if it was viewed in a webmail acount.

Re:How it 'works'

[alder]

...unless I decided to switch back to HTML.

Then you'll go to Tools -- Options... -- Advanced -- Privacy and make sure that "Block loading of remote images in mail messages" is checked. You'll gain nicely formatted messages (with images even if they are embedded) yet all remote images, that can track you, will be ignored.

Re:How it 'works'

[jonadab]

You're assuming he would prefer to view the message HTML-formatted rather than
in plaintext, which for most users who know the difference is not the case.

Viewing in plain text has the advantage of providing a consistent look and
feel for every message, always using the reader's preference for fonts and
colors, among other things. (There are a few exceptions, but most people
prefer the fonts and colors *they* like over the ones other people want them
to see, except in special circumstances such as when having a discussion
about fonts and colors.)

It's all moot for me; I use Gnus. Currently I have it set to only display
text/plain parts and show anything else as an attachment, which I can save
and view if I choose. This means HTML mail has the From and Subject fields
to convince me it's not spam. It's been years since I received an HTML
message that wasn't spam, incidentally, and I get a *lot* of mail. I do
sometimes receive multipart/alternative messages that aren't spam, but the
plain text part always shows fine in that case.

I *could* configure Gnus to display HTML parts, using W3, or to launch a
browser, such as Mozilla, but I choose not to configure it that way because
I prefer to view the plaintext alternative, and like I said it's been years
since I received an HTML-only message that wasn't unsolicited bulkmail.

Back to topic, the didtheygetit.com claim that the service works regardless
of what client the recipient uses is obviously not only bogus for their
specific product but in fact a totally impossible thing for any product to
deliver, unless the content is munged into a form that they are *unable*
to view without alerting you, such as an executable that unencrypts and
displays the text after phoning home -- but something like that would be so
odious to so many recipients that the sender would by using it be decreasing
significantly the chances that the message would be read at all, which would
rather defeat the purpose of the whole idea. In other words, it's an utterly
impossible thing to deliver. OTOH, they only claim it works in 98% of cases
and carefully qualify this saying "in our testing", which presumably means
they didn't test with geeks who use carefully selected high-quality mail
readers; they probably tested mostly with Outlook, two or three popular
webmail services, and maybe Eudora or Netscape. I can positively guarantee
that it would never work with Pegasus Mail (though pmail *does* support read
receipts, but only if the user has turned them on in the prefs; they're
off by default), and obviously it doesn't work with my particular config
of Gnus. (I don't know about a default Gnus config, but that's largely not
a significant issue since people who leave settings at their defaults don't
tend to use Gnus in the first place; it's very much geared toward people
who like to change lots of options.) Clearly it also wouldn't work with
mutt or pine or anything like that, and *obviously* it wouldn't work if
the user talks to the POP3 server directly (which I happen to have just
done yesterday, though I only looked at three or four messages that way,
and I'm atypical, being the maintainer of the Net::Server::POP3 module).

I can imagine that it might be useful to some people nonetheless, especially
in a largely homogenous corporate environment wherein it is predictable what
mail client everyone or almost everyone uses. But clearly they're very much
exaggerating (at best) when they claim it works irrespective of the client.

Re:How it 'works'

[johnnyb]

The only problem with this is that it encourages people to include images already attached - meaning spammers will send images WITH their emails, causing even more bandwidth to be lost even if you don't open it. With remote images, you get the advantage of only sending the images to people who care.

Re:How it 'works'

[BuckaBooBob]

Not to mention if you have didtheyreadit.com in your hostfile with your loopback.

Re:How it 'works'

[Christianfreak]

Thunderbird at least (probably in Mozilla as well) has an option to turn off remotely loaded images. So you can keep the HTML formating if you so desire without worrying about being tracked in this fashion.

Re:How it 'works'

[amembleton]

Thunderbird at least (probably in Mozilla as well) has an option to turn off remotely loaded images. So you can keep the HTML formating if you so desire without worrying about being tracked in this fashion.

I can't find such an option in Mozilla. I've googled around but can't find anything on it. Maybe its time for me to switch to Firefox & Thunderbird.

Re:How it 'works'

[darkonc]

I can't find such an option in Mozilla.

Edit ->
Preferences ->
Privacy & Security ->
Images ->
[checkbox] Do not load remote images in Mail and Newsgroup messages

It's probably the fact that it's under 'Privacy and Security', rather than 'Mail and news' that threw you.

Re:How it 'works'

[ciggieposeur]

I found that browsers were cacheing them, so it wouldn't always register if it was viewed in a webmail acount.

PATENT ALERT

I am about to describe a patented technique. Seriously. If you ever think you're going to implement a web bug, do not read this or IBM will be able to sue you for treble damages.

Since a) I no longer work for IBM, and b) the method is on file in the patent, I am not violating my IP contract with IBM by describing this method.

.
.
.

PATENT ALERT

.
.
.

Method:

The way to defeat browser caching is to make the IMG SRC point to a CGI that returns a REDIRECT (302) that points to the single-pixel image. So you might have IMG SRC="server/path/to/cgi?key1=val1&key2=val2". The browser will have to tick the CGI because it has "dynamic" parameters. However, the CGI has to return a REDIRECT because an intelligent proxy server in the middle might be trying to cache the output too. You don't care if the single-pixel image itself is cached, you just want to capture the CGI hit with all the parameters.

Re:How it 'works'

[lostchicken]

Patent law cannot be circumvented with a clean-room designed algorithm. A lack of knowledge of the original source will not get you out of a patent suit, just copyright issues. So, if you are trying to make a web bug, you'd best read this and do something completely different, because no matter what, you can't use the above described technique without being in violation of IBM's patent. Not even if you came up with it all by yourself.

Re:They may have their patent sticker but. . . .

[julesh]

I'm sorry, it isn't either novel or non-trivial. I've been using this technique since 1997, when I read it as a recommended technique in a book on CGI programming that had been published years before.

It is obvious. In fact, it's about the easiest way of solving the problem of a CGI script that produces an image, let alone cache-busting.

Re:How it 'works'

[amembleton]

This then allows their server to know when the mail was downloaded by the user without having to rely on images.

Unfortunatelly, I don't think it works like that. Their server will then send it to the users' server, or the mail server of their ISP or the mail sever of a webmail account such as Yahoo!, Gmail or Hotmail. Their server will send the message straight away, without any delay. The end user does not download the message from didtheyreadit.com sever, they download it from their usuall Yahoo! SMTP server or whatever their usuall mail server is.

Re:How it 'works'

[amembleton]

Don't worry, we all have those days. And, I called it an SMTP server when it should have been a POP, ah well.

Re:How it 'works'

[tigress]

Uhh, no. The recipient "downloads" their mail from their ISPs mailserver. There's nothing didtheyreadit.com can do to change that. What the extra ".didtheyreadit.com" does is simply being an email adress that forwards the mail to the recipients server, and adding a tracking-image to the mail.

Of course, if you don't believe me, please feel free to call my free 1-800 number and I'll explain it further. I promise not to redirect your call to an international $9.95/min number.

Re:How it 'works'

[ip_fired]

There is a problem with SpamAssassin in that you can get around the little web-bug feature with a little setup on the server side. If the spammer were smart, they would use mod_rewrite to change the url from:

http://spammerserver.com/cgi-bin/redirect.pl?id= [m d5sum]

to:

http://spammerserver.com/images/[md5sum]/image.j pg

Apache then takes the a out of the url, rewrites it, and redirects it to a script which then records the hit from the user and notes that this address is valid.

Spam filters out there need to find a good way of detecting unique identifiers that can be used to track a user.

I'm personally moving towards the scorched earth method with my personal e-mail account. Blcok everything that isn't on my whitelist. If I know you, you're on my whitelist. It's certainly not the best method, but I hate spam.

Re:How it 'works'

[jacobdp]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages.

And yet they claim that there's no way the recipient can know that the message is being tracked (see their FAQ [didtheyreadit.com]) It may not be complete snake oil, but the company is definitely lying about the service's transparency.

And they route all your mail through their servers. I wouldn't be surprised if they soon started selling "pre-confirmed" email address lists.

Re:How it 'works'

[antic]

A typical user would not know that a web bug was in place and the typical users are exactly who they're trying to get to buy into the service.

You and I might ignore their attempts, but there are a hell of a lot of people out there who would like the sales pitch, the 5 free samples/tests and spend the money to use the service. For the most part, they'll be emailing people without mutt and the service may just work (more or less) as described.

Where I would have an issue is with the small percentage of emails that they can't track due to clients forcing text only mail. If a user was to build a strong reliance on this service, they would only assume that the receiver had never even read their email when in actual fact they could've opened it in a text-only client and pored over it for days!

And the privacy issues are astounding -- they would essentially get every copy of email sent through their system -- personal information and details, etc. If you care enough about the information you're sending to want to know if the receivee will read it, then you can bet that this company may care enough about the content too...

Re:How it 'works'

[antic]

Very true, but this company is hardly going to complain if they can get a $49.95 subscription out of these people before they realise that particular short-coming...

I give them credit for the "idea" and definitely the implemention (adding ".didtheyreadit" to the end of a standard email address), so best of luck to them.

And they certainly have achieved fantastic press with this slashdot exposure: suddenly a large group of people know the name, what it does, how it works and how much it costs...

Re:Well... at least no false positives.

[nahdude812]

Given that it re-routes all the replies through their service, I'd wager that they are at least smart enough to mark a message as read if they get a reply for it through their network.

Re:How it 'works'

[photon317]

And offsite imagine tracking is definitely not going to work for recipients like me, who use Mozilla Thunderbird and picked the config option "Block loading of remote images in mail messages".

Re:How it 'works'

[RotJ]

Yahoo! and Hotmail also allow people to block all images until they explicitly approve them, so spammers can't track whether you've opened their spam. Didtheyreadit won't be able to either. So tracking for this service will be very spotty. For messages marked unread, you can NEVER know whether it was opened or not.

Re:How it 'works'

[dbirchall]

This is nothing more than off-site image tracking, as has been seen in spam for ages and ages.

And, of course, in legitimate email newsletters and such, from lots of entities that actually have to track their ROI on such things. I used 'em about 4-5 years ago when I was doing web dev and DB marketing for a travel dot-com. If someone was signed up for our fare alerts or whatever, they'd get mail with a tag in it; if they clicked through to our site, that tag got tracked as a referrer, and passed along

Re:How it 'works'

[orthogonal]

So not only will it not work in text-based email clients (such as mutt), it won't work in modern versions of Outlook which block inline images by default

Let's be even more sensible: your firewall rules should allow your email client to make connections to your mail server ONLY, and only to its ports 110 and 25 (I'm assuming POP3; IMAP would be other orts).

(Not for linux users: Microsoft Windows firewalls typically allow setting rules separately for separate applications, by associating a process name (and in serious firewalls, the executable's MD5 sum) with the process requesting the connection.)

This takes care of all web bugs, inline images, and javascript pop-ups or Active-x in Microsoft HTML email.

Note that with any sensible email client, this won't block html links, as clicking an html link should invoke a separate browser application, with its own firewall rules.

It will block linked (not inline) images, but only a very small minority of email linked images that are at all useful to view -- in this case I just save the email as html and open in a web browser.

Re:How it 'works'

[jburroug]

(how many business majors know that you can make a screenshot in windows?)

/me raises hand

Ahem. I happen to have a BBA in Management. I know how to take screen shots under Windows. You just hit "printscreen" and paste, though I prefer to use a nifty little utility called "ScreenHunter" Of course the only time I need to take screenshots in windows is at work, since that's the only time I ever use windows. I'm typing this message in Mozilla, on a Linux box, running GNUStep (nee Window Maker) for my window

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Definitely snake oil.

[E_elven]

There's a way to go off line? What does one do in this 'off-line' state?

Re:Definitely snake oil.

[V.P.]

127.0.0.1 -- There you go!

/bin/mail works too :-)

[billstewart]

Not only did they not see my test message when I read it from /bin/mail, they didn't see it when I downloaded it to Eudora and read it on line, which is probably because I don't download images while reading mail. I sent a copy to my fastmail.fm account, and it was able to detect that, but the thing hung around in infinitely-slow-download mode so it could detect when I closed the reading window, which doesn't seem to be a reliable process (I X'd out of that so it'd stop hanging, and I haven't gotten the up

this is cool

[quelrods]

Well, it will tell you when they opened the email/how many times/etc. (assuming they have an html enabled email client.) It works w/ yahoo mail but not with pine. The infinite refresh to tell how long they read the email for is annoying in that it makes it look like the email never finished loading. Can someone see how outlook responds to this? (I haven't a windows box)

Re:this is cool

[quelrods]

woops forgot to add it's direction finding skills are weak. Apparantly I'm in Michigan? I'm in Austin,TX and my POP is chicago. It appears to try to get information via one of the upstream links which is horribly inaccurate.

Re:this is cool

[madprof]

So, in fact, this is not cool at all then.

Re:this is cool

[Anonymous Coward]

The infinite refresh to tell how long they read the email for is annoying in that it makes it look like the email never finished loading. Can someone see how outlook responds to this?

I'm just guessing here, but, based upon my previous experiences with Outhouse, it probably downloads an activeX script from a site in Korea and promptly reboots. But then again, that's the default behavior.

OE read receipts

[gbjbaanb]

considering the non-friendly hack that you need to go through to get this working, wouldn't it be better to capture the data sent by Outlook and OE's read receipts and implement something compatible in Mozilla and other email clients.

I only say use the Outlook 'standard' because it doesn't seem there's any others, and it'd be a bit useless if we had multiple versions.

If we want read receipts, that is. Personally I turn them off, and don't send them.

Re:OE read receipts

[Ryquir]

Uhmm... you do understand that Mozilla and other E-mail client do actually have read receipts and that this isn't a "MS" standard?

The only difference in clients abilities with regards to read receipts is how they present you the uninformed user the dialog box saying "Sender has requested you inform them that you have read this message".

Re:OE read receipts

[IncohereD]

Weren't read receipts 'invented' by Netscape 4.x?? That's the first time I remember seeing them. And the functionality is still in Mozilla, one of my friends requests them, and I get a box asking if I want to send it or not.

Lets Implement a Similar System

[KhalidBoussouara]

To see if people read the article before posting on Slashdot.

This post is a joke so don't moderate down. Also I am aware that this wouldn't be really effective.

Re:Lets Implement a Similar System

[Anonymous Coward]

MOD PARENT DOWN. This wouldn't be effective mea...
aww crap.

Single pixel gif?

[ilikejam]

Sounds to me like they just embed a simgle pixel gif in the message, and monitor when they recieve the request for it.
How they monitor the length of time the mail stays open is a bit of a mystery.
Turn off 'Download images' and I'd imagine their system becomes useless.
Wasn't there a scare about spam merchants doing this once?

Re:Single pixel gif?

[octalc0de]

Perhaps the single pixel gif never finishes loading. That way, as long as the connection remains open, the web server clocks how long you're on the image.

Re:Single pixel gif?

[Neon Spiral Injector]

The time is probably calculated by not actually sending the image file, or sending it very slowly. So they just keep the HTTP session open, then note when the client closes. That would limit the tracking time to when the connection times out. Like the author said, he left the Yahoo mail open for 10 minutes and it only reported 2.

An additional note, Yahoo does have an option to disable remote images, which would also break this.

Seems this company is too late to the party. Almost all current e-mail clients now don't or have an option to not to load remote images.

Re:Single pixel gif?

[5E-0W2]

Could be animated gifs sent slowly? I remember back in the days of netscape 3 iirc netscape had an aquarium webcam that worked by having an animated gif and new frames getting sent as they were generated. Or perhaps it was server push (multipart mime content). It was something like that which would work for this anyway. 1996 was a long time ago.

Re:Single pixel gif?

[Neon Spiral Injector]

That was indeed server push for the fish cam. Only worked with Netscape. I don't think Mozilla even supports multipart mime.

I tested with one of the links provided here. It is just a 302 byte JPEG sent 1 byte per second. So max tracking time is 5 minutes.

Re:Single pixel gif?

[ilikejam]

Yup. Confirmed.
At the bottom of the mail is:

<img src="http://didtheyreadit.com/index.php/worker?cod e=xxxxxxxxxxxxxxxxxxxxx" width="1" height="1" />

Oh well. Should prove very effective against those without the sense to turn off images anyway. Lets hear it for making money from people's ignorance!

Re:Single pixel gif?

[tigress]

Server-push. Very simple.

Re:Single pixel gif?

[Neon Spiral Injector]

I just tested, they send an image/jpeg with a header not specifying the length at 1 byte/second. But it is only 302 bytes long, so they can't track for more than 5 minutes. It is a real JPEG, 1x1 pixels, created with an Adobe product.

get your privacy back easily

[xlyz]

just set your mail client to not download images

Re:get your privacy back easily

[Pike65]

How do I do that in pine?

No good

[martingunnarsson]

If you can't trust the service, and you obviously can't, I don't think there's a very good reason to use it. Unless it works for every single message it's no good. It is a pretty neat idea, but the tinfoil hat crowd will most likely scream and shout about their privacy being invaded.

Re:No good

[Z-MaxX]

Probably the biggest problem isn't a violation of privacy (spammers are are using this same technique all the time anyhow, you REALLY should disable the loading of images in your mail client) is the fact that is does not and *cannot* work for all email providers and clients.

Even Yahoo! webmail allows you to disable image loading. Furthermore, I always set my mail client to only show the plain text message, and not display any HTML at all. I don't need hypertext markup in my email messages.

Re:No good

[Z-MaxX]

Unless it works for every single message it's no good.

So true. And this is straight from their main page:

"Are you as sick of getting the "I never got your email." line as I was? This will eliminate that excuse completely. It really lets you know whom you're dealing with."

Now you simply say, "My spam filter blocks images." And you may have a reason then to think that the person who sent you the message doesn't trust you.

You can't solve a people problem with technology.

Why not do it yourself

[Crashmarik]

If the recipient is using a text based email program theres no way in heck anything is going to track whether the mail was opened or read. If its an HTML reader like Outlook just pop a web beacon and let your server monitor it. If you can't figure out how to make this work yourself, you probably shouldn't be allowed to go spying on others anyway.

Not very useful!

[edoc]

This is not very useful as it is only tracking the images that are being loaded when the email is being viewed. However, most email clients now block these inline images from being loaded so this software will not function. In text based email clients it also will not function at all. These features have already been included in such email clients as evolution [novell.com].

It's an animated GIF!

[Anonymous Coward]

It embeds a single pixel image, but it appears to keep feeding you the image forever, at a rate of a byte a second. Thus, if you use an HTML image reader that loads embedded graphics from random servers, they will know how long you had it open for.

Of course, if you use an email program that's that, umm, "open", they could just embed a trojan in it and add features like listening to what you say when you open the mail, and pictures of you reading it. :)

I'M RICH!!

[nacturation]

Now I'm going to finally get Bill Gates and tons of other companies to finally pay up! [snopes.com]

eeevviiilll!

[Gaima]

http://www.rampellsoft.com/ [rampellsoft.com], the people bringing you didtheyreadit looks to me like a really evil company.

software products to make your life on a computer easier and more efficient. by secretly spying on your spouse, kids and employees.
Oh, sorry, record, my bad.

/me goes back to kmail in text/plain by default, happy, safe, and in privacy.

This would fail with GMail

[tji]

By default, Google mail has images turned off. You have to click a link at the top of the message to force it to load the images.

Most other mailers also have a way to turn off image loading because spammers have been using this tracking technique for a long time. If mailers don't allow image blocking yet, I'm sure that a service like this will get them to add that trivial feature.

Re:This would fail with GMail

[attemptedgoalie]

Outlook 2003 blocks images as well.

Outlook Express will when XP SP2 hits at end of July.

quick prevention of getting tracked by this...

[griffjon]

Not that I let my email client load images anyway, but just because I'm spiteful, I think I'll go add
"127.0.0.1 didthereadit.com" to my /etc/hosts file. (c:\windows\hosts in win98, C:\windows\system32\drivers\etc\ in XP, )

Depressing...

[Gutboy_Barrelhouse]

Does anyone else find it depressing that the entire privacy issue this service (creates? no... inflames?) hinges on the fact that 99% of Internet users probably don't know whether they're reading email as HTML or plain text?

mwahaha

[Anonymous Coward]

Devious suggestion: Buy misspellings of their domain, then capture all emails you receive. Hours of fun!

Better alternative

[mapinguari]

If you're wanting to use something along these lines, a more up-front company that doesn't use invisible web bugs is HaveTheyReadItYet [havetheyreadityet.com].

They use images of stamps, which are customizable, which is kind of a cool idea.

However, this only available for Windows.

SPAMMERS, perhaps?

[whoever57]

A whois on didtheyreadit.com shows an address in Florida.

Wouldn't this be a great way to harvest thousands or millions of known good email addresses?

The TOS only states that they will not store the emails -- yet their own logs will contain the email addresses. There is nothing in the TOS that explicitly prevents them from using those addresses.

Re:SPAMMERS, perhaps?

[gl4ss]

considering that such technique(tracking if email was read by having an img tag) has been used by spammers for years it wouldn't be that surprising.

Re:SPAMMERS, perhaps?

[danharan]

And conveniently, they also have a sender that is likely on your white list...

More sophisticated analysis could also yield useful info (likely gender of the sender based on words and sentence structure; keywords to indicate interests).

Re:Picture of Alex Rampell?

[whoever57]

At the same address is The firm of Rampell & Rampell, PA [rampell.com]

A multi-talented family? Accountants, Software, [rampellsoft.com] and now a web-based business.

The software seems to be keyloggers and others.

Awesome!

[CRC'99]

Now I'll be able to find out if the boss is actually reading my email!

heh - and he says he doesn't get it :)

Good for them, and us.

[tigress]

In my personal opinion, I think this might actually be a good thing. Considering the fact that didtheyreadit.com uses external images for tracking, and that they're getting a whole bunch of publicity right now (partially due to this very article), this is just another reason for email clients to block external images by default - spam apparently not being a big enough reason yet.

With a bit of luck, this will make more sites and clients want to implement image blocking, which will in turn make it harder for spammers to get their messages across.

Spam is merely an annoyance to most people. Privacy issues are not. :)

Could be useful

[zerosignal]

I think this would be useful for dealing with companies with poor customer service. You can check if your mail was actually read by a human. Chances are they are all using Outlook with HTML enabled, so the tracking would work.

DNS fun...

[AVee]

Looks like they've got a wildcard mx record:

# host -t mx aol.com.didtheyreadit.com
aol.com.didtheyreadit.c om mail is handled by 10 mail.cluster1.didtheyreadit.com.
host -t mx lsdkfjksdlfjklsdjf.didtheyreadit.com
lsdkfjksdlfj klsdjf.didtheyreadit.com mail is handled by 10 mail.cluster1.didtheyreadit.com.

Now whould you like to pay for an email service that doesn't even have a fallback mailserver and is likely be busy handling mail for info@didtheyreadit.com.didtheyreadit.com.didtheyre adit.com.didtheyreadit.com.didtheyreadit.com

# host -t mx didtheyreadit.com.didtheyreadit.com.didtheyreadit. com.didtheyreadit.com.didtheyreadit.com
didtheyre adit.com.didtheyreadit.com.didtheyreadit.com.didth eyreadit.com.didtheyreadit.com mail is handled by 10 mail.cluster1.didtheyreadit.com.

Re:DNS fun...

[Anonymous Coward]

Probably because mail.cluster1.didtheyreadit.com points to 3 different IP addresses.. Not sure why they didn't just make 3 separate MX records.

Re:DNS fun...

[grozzie2]

mail is handled by 10 mail.cluster1.didtheyreadit.com.

Ok, a little more digging. mail.cluster1.didtheyreadit.com resolves to 3 consecutive ip addresses. Repeat the process for www.didtheyreadit.com and you find that the same 3 ip address resolve to that. This smells a lot like somebody has gone to the effort to build a high availability cluster for dealing with mail, just based on the consecutive ip's and the telltale names.

Interesting, this same cluster is also set up to provide the backing infras

Re:DNS fun...

[shani]

Two things about fallback mail servers.

The first is that Internet mail has retry functionality built in. If your mail server goes off-line for a few minutes, most clients won't notice. It's not an immediate service like HTTP. Personally, I only have a backup MX for my personal domain because my box is physically located at my employer's office. The company could unplug it (permanently!) at any moment. People I trust - companies not one iota.

The other thing is, as other people have mentioned, this ser

didtheyreadit.com's new domain name

[Skapare]

It seems didtheyreadit.com is looking at the same thing with a different view in mind. Their new domain name is: isyourrecipienttotallyignorantaboutsecurity.com.

Easy fix...

[jafiwam]

just put:

127.0.0.1 didtheyreadit.com

In your hosts file...

Or put an authoritative zone in your DNS servers if you have access.

Done, no query reaches their server.

SPF?

[forevermore]

So if you have to send email through their server, which adds a hidden tracking image and then resends the message, wouldn't all of this be blocked by SPF-aware servers? I can't even send orkut invitations out because they send "from" me and they're not in my SPF record.

Actually

[t_allardyce]

I've got a better idea, stick a porn banner in your email which links to a site on your server, then check the logs and see *exactly* how *long* they errr.. *read* your *email* and which page they *read* the most ;) ah probably been done

im *really* *really* sorry for the asterix's (spelling)

Big problem: instant open relay

[bigberk]

I signed up for a free account. It does work, it's fast and convenient enough. But there's a major problem...

INSTANT OPEN RELAY.

All a spammer has to do is forge their From address (the only means of relay authentication!) and append .didtheyreadit.com to any victim address, and dtri1.rampellsoft.com will relay the message to the victim. I'd say this service has a 10% chance of survival.

Paranoid Annoying Emailers

[NitsujTPU]

Things like this remind me of the most paranoid, annoying, emailers that I deal with daily. Something like 1 in 1000 emails are the type that I would ever stick a receipt on. For the most part, even those I would ask for a friendly reply in the text at the bottom.

At work, I am somewhat compelled to use outlook. Here's my favorite setting:

1) Automatically unflag incoming messages:
-Think noone reads your email? Why not flag every message you send. That way, they'll all look importat... or, the important ones will get lost in the see of red flags.

Do any of you have settings that would be good in Outlook?

"Every single internet provider"?

[Megane]

DidTheyReadIt works with every single internet provider and e-mail account, including EarthLink, AOL, NetZero, Juno, Netscape, Hotmail, Yahoo, and much more.

Guess what folks. There's no law that says you have to let a megacorp run your e-mail. With a fixed IP and a 24/7 server, you can run your own server. (Though, admittedly, it's not something a novice can make work.)

All this is is simple "web bug" HTML IMG link spying. Anyone with any kind of sense has configured their e-mail client to not automatically download remote images. Or even to not display HTML crap at all. And please don't tell me that they use Javashi^H^Hcript, because that means there's a brain-damaged popular e-mail program out there that allows it (or a webmail site that doesn't filter it). All we need is another way for e-mail to run wild code.

Is anyone else getting a flashback to the all the stupid ideas that would burn through millions of dollars in VC cash back in the dot-com bubble days?

It's a scam, and here's how I know

[BillX]

I have identified this service to be a scam using the "superfluous female person standing next to logo" method. I'm still wondering where her headset went, though...

Wonder how it compares with ReadNotify

[Krellan]

There is another company that claims to do this, ReadNotify [readnotify.com].

It looks to be exactly the same kind of service as Didtheyreadit.com.

I first became aware of this company by reading Mozilla's bug report 28327 - http://bugzilla.mozilla.org/show_bug.cgi?id=28327 [mozilla.org] (cut/paste URL and open in new window).

Mozilla/Thunderbird also has trouble completely blocking all server contact in email, as it evidently doesn't sandbox the email environment enough (images may be blocked, but stylesheets and other external URL's can still leak through, last I checked).

BTW, there is a workaround if you use Mozilla/Thunderbird: set your View/Message Body As settings to "Simple HTML", or better yet, "Plain Text". This works 100%!

Tracking HTML e-mail without images or JavaScript

[Kent Brewster]

You can do this without using an image or JavaScript, and give away nothing in the source of the message. Here's one way, using Apache, .htaccess, and PHP:

1) In the header of your HTML e-mail message, load up a style sheet:

<style type="text/css">
@import "http://your.server.com/your.css";
</style>

2) In the server directory containing your CSS file, add the following line to .htaccess:

AddType application/x-httpd-php .css

Any file ending in .css under this directory will now be run as if it were a PHP script.

3) Save this as your.css:

<?php
require "track_message.php";
?>

Done. No images, no JavaScript ... any reader that accepts HTML messages will trigger track_message.php, and nothing unusual will be visible in source code, even if some curious person pulls down http://your.server.com/your.css to take a look.

Heard about this on NPR interview last week

[kc8jhs]

The shocking thing was, in the interview, the founder/inventor(not)/designer/coder whatever he was, claimed that large large portions of mail actually gets lost on the internet.

A gentleman called in from a design engineering firm who emails large documents to other members of the firm and other associates around the country. The "expert" insisted that the didtheyreadit.com was the perfect service for them to assure that their emails made it there and were in fact read.

My question was this, how does email between two people who regularly email each other, and are probably expecting it, "get lost"? This was a major point that the guy was making, which seemed to me like he was spreading classic FUD.

Lets make sure that our friends aren't using this product for those reasons! Assure them that undeliverable mail will be properly reported back to them always, and show them how to set their mail clients to always accept mail from those in their address books!

-Mikey P

Here's How They Time the View

[jzap]

They put a 1x1 image in the HTML e-mail with a (long) unique number in the SRC URL. The unique number identifies the sent message. When your e-mail client tries to fetch the image, they send the header right away (type=image/jpeg), but they trickle the data to you at one byte per second. This keeps the connection open for as long as you view the message. When you stop viewing the message, the connection closes, and their timer stops.

I'd show you what a dump of an 118-byte-long version of their JPEG image looks like, but the Slashdot Lameness Filter didn't like all those "junk" characters! However, you can view the dump here: http://jzap.com/img/ReadItBug.jpeg.txt [jzap.com]

Re:fp!

[TheViciousOverWind]

Nothing special, just "Webbug" images, which spamfilters such as SpamAssasin (in the default setting) adds point to as more likely to be spam, so using DidTheyReadIt users mail is more likely to end up in a spamfolder than any other type of mail.

On another note, I find it's walking on the thin red line of immoral behavior, and I know here in Denmark there've been several companies who've got bad publicity because of using said method.

Re:fp!

[senatorpjt]

OK, so, who's going to set up a free service that duplicates what DidTheyReadIt does. It uses almost no bandwidth (you're only loading a 1x1 pixel image off a webserver). I'd do it if I had any hosting capability whatsoever.

The entire point of a free service would be 1) to educate people as to why this is pointless and 2) to make it unprofitable and drive these people out of business.

Yahoo, and Gmail too...

[QangMartoq]

Both of these web-based email services have the ability to block loading of images in spam, though, at least with Yahoo, it's worthy to note that this feature extends only to messages stored in your 'Bulk' folder.

As to Gmail, I don't know, but from what I've heard it works in a similar way.

Also, the newer versions of AOL diasable images in emails by default, requiring the user to click on an 'Enable images and links' option on each email they want to see images/have working links in.

Having email clien

Yahoo and Hotmail image loading

[AzureLunatic]

Yahoo mail has the option to block all images from loading by default (not just in the sorted-as-spam bucket), warns the user when images are blocked from loading, and allows loading of images on a message-by-message basis.

However, this option must be hunted down and turned on.

Hotmail does one better, and allows you to block all images from loading by default, and set rules so certain senders' images will always load as well as viewing images in a piece of mail on a case-by-case basis.

Re:Uh, the link is wrong

[J'raxis]

The browser should take the scheme from the context of the current URL. This is valid according to the definition of a URL in the RFC.

You know that a URL like /foo/bar is evaluated relative to the current server, right? Well, something like //www.foo.com/bar is evaluated relative to the current scheme, i.e., http.

Re:Uh, the link is wrong

[SuperficialRhyme]

Strange. The links work for me with Mozilla Firefox 0.8 (unless they've been corrected already and I missed the time they didn't work).

Re:But we're blocking it anways..

[JessLeah]

Clearly, this service isn't being marketed to the SlashDot crowd. The very IDEA of this service reeks of "mass market", which we are not. (Though, with all the MSFT ads, we're getting closer every year. I'm just waiting until I see AOL ads on SlashDot. That'll be the day...)

Re:How it works

[avdp]

Most email and webmail clients DO have this functionality. Yahoo, Hotmail, SquirrelMail even Outlook can block remote images (I am sure there are more, but those are the ones I have used - the most popular ones I would say). It may not be the default setting though.

Re:Smoke and mirrors

[DaHat]

And now we all DoS their site as we try to load that image to see if it really does work...

It seems to be good, just an awful slow load (which no doubt is intentional to measure the length of your 'reading' of the e-mail).