Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Friday June 11, 2004
04:06 PM

DidTheyReadIt web bug

[ #19205 ]

I'm writing an article about blocking DidTheyReadIt web bug spy ware.

I sent my wife a message through their service (free trial, 10 messages at no cost), and if she loads the external images in the email, I get all sorts of interesting information about when, where, how, and for how long she read the message (and it's pretty decent too).

They do this with a web bug 1x1 image. Now I am curious what happens if people all over the world load this image:

I'm figuring that the system must be pretty dumb, and won't figure out that it isn't really here in 200 countries at the same time (although they seem to forget that I could read mail just as easily through a connection in Europe as I can from my home internet connection).

If you load that image, I might get to see the user-agent string of your browser, the referer URL, if any, the best guess at your nearest upstream provider, your IP address as far as the first NAT gateway, when you loaded the image, and the Accept header of your browser. However, because of the hashing, it will look to me like my wife is doing the reading.

So, if you are brave enough, help me screw up their data. :)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • I tried, but after 30 seconds of looking at a blank white screen and "loading from" (or whatever the name is), I (the human, not a program) timed out and hit the bak button. There's a limit to how much I'll do, even for science.
    • I discoverd the same thing. They are doing something tricky: they just keep sending data. They keep sending data to you do something else. This way they know for how long you read the message, which is about the same time their program ran.

      So, this is even more diabolical than I thought! They are also sucking bandwidth. Imagine a company deciding to use this (the intended market, I'm thinking), and that another company gets a lot of email from them. That is almost a denial-of-service attack! Lots o
      • I loaded the URL with wget.

        It is coming across at 1 B/s.


        Turned out to be 302 bytes large.
        • 302 bytes, eh?

          That would be about 5 minutes at 1 B/s, and they claim to measure times much longer than that. How long did it actually take? Did it get slower the longer it went on?
          • It was almost exactly 1 B/s the entire time.

            I'd almost bet that they eventually count bytes transferred as the method of doing the timing.

            We may actually be seeing wget, or some other part of the stack, giving up on the connection... the fact that it was almost exactly 5 minutes is suspect to me.
  • Now the referer on all of those clicks is
  • Some companies who provide "ad campaign" services do this. Helps them track who reads what, and what email addresses are valid, and get rough geographical info on the reader/address. I once was speaking with a guy who owns an "ad campaign" service and he said they find that some people will bounce SPAM, but still read the email. Then, they know that even though a bounce came back, someone read the mail and the email is considered valid.

    "Phone Home" for email. I dunno, not sure I would trust a service from
  • []

    The only thing i have changed is the email address at the top, where I inserted "CENSORED".
  • That anyone today still loads random images embedded in an HTML email baffles me.
    • If you are forced to use MS Outlook, eg at work, then you have no choice. It will load the damn things no matter how hard you try to get it not to.

      /me still trying to tunnel mails out of exchange without OutLook.