Educause Security Discussion mailing list archives

E-mail Privacy

From: Javier Torner <jtorner () CSUSB EDU>
Date: Tue, 25 May 2004 12:22:08 -0700

Hello everyone,

I received the following message about a new product called Rampell
Software.

The site www.didtheyreadit.com is legitimate and it claims to do
what the message indicates.

I looked for the reference to the State of Texas report but I could not
find it.

Has anyone seen this before? Comments? Is anyone blocking this site?

Thanks

Javier

Javier Torner, Ph.D.
Information Security Officer
Professor of Physics


_____________________
<snip>

Yet another threat to your privacy has surfaced.  A company called Rampell
Software, LLC has launched a new method of email tracking to determine
whether or not the recipient of email you sent:

*         Read the email

*         Forwarded the email

*         How long it was open

*         How many times it was read

*         Geographically  - where the recipient was physically located when
they opened it

It works by inserting a single pixel gif image into the body of the message
and is virtually undetectable by visual examination.  The gif contains
embedded code to, "phone home" on port 80 to cluster of servers at
didtheyreadit.com.  If you open a tagged email, you will not know a
confirmation has been sent.

The process is being marketed to sales organizations to help them determine
the effectiveness of their email campaigns.

More information about the company can be found at: www.didtheyreadit.com
<http://www.didtheyreadit.com/>


The Information Security Team at the State of Texas, Department of
Information Resources was kind enough to research the product and recommend
some solutions. There are several methods to deal with the problem.  They
can be used singly or in combination:

1) Mozilla Lightning is apparently immune and does not execute the gif code
to phone home.

2) Set your email server/clients to search the body of messages for the
string, "didtheyreadit.com" and send those messages to the bit bucket or a
quarantine area.

3) Create DNS entries for www.didtheyreadit.com
<http://www.didtheyreadit.com/>  and set them to loopback.

From whois.arin.net:


Name:    web.cluster1.didtheyreadit.com
Addresses:  69.90.152.226, 69.90.152.224, 69.90.152.225
Aliases:  www.didtheyreadit.com <http://www.didtheyreadit.com/>

4) Black hole the route to the company at your perimeter routers:

ip route 69.90.152.0 255.255.255.0 Null0

5) To determine which organizations are sending you tagged messages, add an
entry to your egress access-list and log attempts:

access-list 101 deny ip any 69.90.152.0 0.0.0.255 log

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

E-mail Privacy Javier Torner (May 25)
- <Possible follow-ups>
- Re: E-mail Privacy Herrera Reyna Omar (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Gary Flynn (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Dan Oachs (May 25)