LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Did they read it?

May 26, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Return receipts for email have been around for quite some time. They can be useful in some settings where a user is willing to verify that they've received an email without taking the time to compose a reply. However, the return receipt depends on the user's willingness to participate in the process. Often, for one reason or another, users do not wish to do that; these users can simply configure their email client to deny requests for return-mail receipts -- if, in fact, the user's email client supports that feature at all.

There are, however, those who aren't content to depend on voluntary responses. Rampell Software is peddling a subscription service for nosy correspondents who want to know whether or not their email has been read. Rampell is a company that pushes several spyware products for MacOS and Windows that are aimed at monitoring the use of other peoples' computers. The "DidTheyReadIt" service is aimed at people who are determined to know whether or not their mail has been read, and who are willing to pay for the privilege.

This, of course, has some not-so-pleasant implications for personal privacy. While the company assures its potential customers that it respects their privacy, nothing is said about the privacy of the recipient who may not wish to divulge whether or not they've read a particular email or where they've read it from. On the company's About Us page, they identify what kinds of people might want to find out whether an email has been read -- including some that make DidTheyReadIt sound like a must-have for potential stalkers:

Users of online dating services such as match.com who want to know if their potential dates are reading their messages...or ignoring them.

It isn't particularly cheap to violate others' privacy either, at least not when using DoTheyReadIt on a regular basis. A quarterly subscription for the service, with the ability to track 500 messages per month, is $24.99.

To use the service, the user has to send email through DidTheyReadIt's servers by tacking ".didtheyreadit.com" onto the recipient's email address. DidTheyReadIt's server then tags the email with a "web bug" and sends it on its way to the intended recipient. For the uninitiated, web bugs are a well-known spammer trick to verify working email addresses. The spammer includes a bit of HTML in the email that will request an unique image name (usually a small image that is invisible to the reader) from a remote server that tracks the hits. The image name and email address are paired so that the spammer can identify working email addresses with users gullible enough to open the spammer's email. When the image is requested from didtheyreadit.com, a hit is logged and the sender can then view the information on the DidTheyReadIt website and/or be notified via email.

DidTheyReadIt takes the web bug idea further than the spammers do, however. It responds to the request for the web bug image by sending a slow stream of data back to the mail client; that stream will continue until the receiving system resets the connection. The amount of time the connection was allowed to run will be roughly equivalent to how long the message was on the reader's screen, giving a sense of how seriously the message was read.

When the service works, the amount of information provided to the sender is quite intrusive. Not content to simply verify that a user opened an email, [DidTheyReadIt report] DidTheyReadIt reports the number of times an email is read, how long the recipient spent reading it, when it was opened, the location of the reader, the IP address of the recipient at the time the message is opened and their ISP. Not only is the recipient (including anybody the message may be forwarded to) being monitored in their reading habits, they are also being physically tracked when the service is able to pair up a geographic location with an IP address. While it's not possible for the service to report a street address, it can narrow down the location to a city. It's easy to imagine scenarios where this would be particularly undesirable.

Users who are even moderately knowledgeable about the way that the Web works will have no problem blocking DidTheyReadIt from divining whether or not they have opened an email sent through this service. Rampell's claims of success "the vast majority of the time, upwards of 98% in extensive testing" are a bit suspect. In fact, many users are already protected by sane defaults in their mail clients that prohibit the display of remote graphics in HTML email by default.

This writer had to deliberately disable the defaults in the Yahoo! and SpamCop (which uses Horde) webmail clients to allow DidTheyReadIt to track test emails. The tracking did not work with Thunderbird or Opera's mail client. It goes without saying that users of mutt and Pine will easily slip under the radar.

Furthermore, once word gets around about this service, many users may simply opt to filter out email that passes through the DidTheyReadIt servers altogether. Some folks might also decide to play havoc with this service by writing scripts to call random images from DidTheyReadIt's servers to generate false positives and render the service useless. Ed Felten predicts that DidTheyReadIt will not succeed in the long run:

Products like this sow the seeds of their own destruction, by triggering the adoption of technical measures that defeat them, and the creation of social norms that make their use unacceptable.

One would hope that the use of such a service would be considered "unacceptable" by most people already. Whether or not that is true, however, the use of free software for crucial tasks like email gives users the upper hand against this sort of service. There is, after all, nothing that forces us to tolerate a mail system which supports this kind of monitoring. If only all of our email problems were so easy to solve.

(Log in to post comments)

Did they read it?

Posted May 27, 2004 12:43 UTC (Thu) by copsewood (subscriber, #199) [Link]

Probably won't be that long before someone manages to get them to relay suitably formatted mail to a known spamtrap for the purpose of getting them onto reputable blacklists. Sooner the better !

Did they read it?

Posted May 27, 2004 18:02 UTC (Thu) by Soruk (guest, #2722) [Link]

The other option is to find out the IP range they use for their outbound mail and add it to local blacklists....

Did they read it?

Posted May 27, 2004 20:23 UTC (Thu) by yodermk (subscriber, #3803) [Link]

That might be dangerous. If someone who could be important was sending me mail through the service, I'd still want to get it. Maybe give it extra "spam" points, but if no other "spammy" rules qualify, let it through.

I will, however, suggest that my organization block web traffic to these guys to stop the tracker.


Did they read it?

Posted May 28, 2004 14:27 UTC (Fri) by mmarsh (subscriber, #17029) [Link]

I'm amazed at some of the other uses they mention on the "About Us" page:

"A student applying for jobs who wants to know if employers are reading her e-mails." This will probably get your resume thrown in the trash if the potential employer realizes you're doing it.

"A business owner who had made an offer to sell a piece of property. He used DidTheyReadIt to track how often the recipient had read his message, and how long the message had been read for. DidTheyReadIt also showed that the message had been forwarded to a law firm." That last part might be grounds for a lawsuit, and the whole thing smacks of industrial espionage and unfair trade practices.

Did they read it?

Posted May 29, 2004 8:27 UTC (Sat) by frazier (guest, #3060) [Link]

If this isn't a classic case of smart person(s) going to the dark side, I don't know what is.

In regards to "Ed Felten predicts that DidTheyReadIt will not succeed in the long run", if they make enough in the short run it won't matter.

Did they read it? Not if they were me

Posted Jun 1, 2004 18:06 UTC (Tue) by dps (subscriber, #5725) [Link]

I will check my MailScanner.conf but I think it set to junk all email containing and IMG tag. You defienitely *can* configoure MailScanner this way.

You are liable to find my squid.conf file reckons didtheyreadit.com is beyond the pale and refuses to process any requests doe things on that site. If they try to bypass the squid proxy, then I have news for them: any requets to port 80 or 443 from anywhere else does is blocked by the (default deny) firewall.

The *default* settings in many email clients is not to download images, and I think the clients that this applies to include eudora, outlook express and outlook.

Did they read it?

Posted Jun 29, 2006 17:21 UTC (Thu) by the_viewer (guest, #38723) [Link]

If you are using a webmail interface and it is not possible to disable pictures, you can even stop this kind of monitoring with a simple action:
Just forbid all connections to xpostmail.com and monitoring will stop.

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds