Educause Security Discussion mailing list archives
Re: E-mail Privacy
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 25 May 2004 16:00:01 -0400
And this is how they 'invisibly' track your sent e-mail messages without relying on the older return receipt requested RFC822 header (handling of which is not mandatory and is often under the control of the recipient user) -- they use single pixel web- page 'bugs' in an HTML formatted MIME partition. This relies on the remote user viewing the e-mail in a web-enabled e-mail program or web browser. I created an account on didtheyreadit.com and sent myself (well, okay, I sent it to morrow.long () yale edu didtheyreadit com) a plain ol' vanilla text message using pine on Unix just for fun. I put the word 'test' in the body of the message. Looking at the message received you can see their invisible 'tag' (a unique inline GIF URL was generated just for tracking the msg): --=_c8e3cfd147fed9ad1142c041c266f73d Content-Type: text/html test<br /> <br /> <br><img src="http://didtheyreadit.com/index.php/worker? code=bdbefd3852a72cd5de21493dd23d3fb1" width="1" h eight="1" /> --=_c8e3cfd147fed9ad1142c041c266f73d-- This is a spammer and advertiser tracking trick. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On May 25, 2004, at 3:22 PM, Javier Torner wrote:
Hello everyone, I received the following message about a new product called Rampell Software. The site www.didtheyreadit.com is legitimate and it claims to do what the message indicates. I looked for the reference to the State of Texas report but I could not find it. Has anyone seen this before? Comments? Is anyone blocking this site? Thanks Javier Javier Torner, Ph.D. Information Security Officer Professor of Physics _____________________ <snip> Yet another threat to your privacy has surfaced. A company called Rampell Software, LLC has launched a new method of email tracking to determine whether or not the recipient of email you sent: * Read the email * Forwarded the email * How long it was open * How many times it was read * Geographically - where the recipient was physically located when they opened it It works by inserting a single pixel gif image into the body of the message and is virtually undetectable by visual examination. The gif contains embedded code to, "phone home" on port 80 to cluster of servers at didtheyreadit.com. If you open a tagged email, you will not know a confirmation has been sent. The process is being marketed to sales organizations to help them determine the effectiveness of their email campaigns. More information about the company can be found at: www.didtheyreadit.com <http://www.didtheyreadit.com/> The Information Security Team at the State of Texas, Department of Information Resources was kind enough to research the product and recommend some solutions. There are several methods to deal with the problem. They can be used singly or in combination: 1) Mozilla Lightning is apparently immune and does not execute the gif code to phone home. 2) Set your email server/clients to search the body of messages for the string, "didtheyreadit.com" and send those messages to the bit bucket or a quarantine area. 3) Create DNS entries for www.didtheyreadit.com <http://www.didtheyreadit.com/> and set them to loopback.From whois.arin.net:Name: web.cluster1.didtheyreadit.com Addresses: 69.90.152.226, 69.90.152.224, 69.90.152.225 Aliases: www.didtheyreadit.com <http://www.didtheyreadit.com/> 4) Black hole the route to the company at your perimeter routers: ip route 69.90.152.0 255.255.255.0 Null0 5) To determine which organizations are sending you tagged messages, add an entry to your egress access-list and log attempts: access-list 101 deny ip any 69.90.152.0 0.0.0.255 log ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- E-mail Privacy Javier Torner (May 25)
- <Possible follow-ups>
- Re: E-mail Privacy Herrera Reyna Omar (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy H. Morrow Long (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Gary Flynn (May 25)
- Re: E-mail Privacy Glenn Leavell (May 25)
- Re: E-mail Privacy Brian Eckman (May 25)
- Re: E-mail Privacy Dan Oachs (May 25)