All the Perl that's Practical to Extract and Report

DidTheyReadIt web bug

brian_d_foy on 2004-06-11T21:06:53

I'm writing an article about blocking DidTheyReadIt web bug spy ware.

I sent my wife a message through their service (free trial, 10 messages at no cost), and if she loads the external images in the email, I get all sorts of interesting information about when, where, how, and for how long she read the message (and it's pretty decent too).

They do this with a web bug 1x1 image. Now I am curious what happens if people all over the world load this image:

http://didtheyreadit.com/index.php/worker?code=844eea38c4f0ab9bd2220f65f4107dbe

I'm figuring that the system must be pretty dumb, and won't figure out that it isn't really here in 200 countries at the same time (although they seem to forget that I could read mail just as easily through a connection in Europe as I can from my home internet connection).

If you load that image, I might get to see the user-agent string of your browser, the referer URL, if any, the best guess at your nearest upstream provider, your IP address as far as the first NAT gateway, when you loaded the image, and the Accept header of your browser. However, because of the hashing, it will look to me like my wife is doing the reading.

So, if you are brave enough, help me screw up their data. :)

I timed out

jmm on 2004-06-11T21:24:55

I tried, but after 30 seconds of looking at a blank white screen and "loading from didtheyreadit.com" (or whatever the name is), I (the human, not a program) timed out and hit the bak button. There's a limit to how much I'll do, even for science.

Re:I timed out

brian_d_foy on 2004-06-11T21:33:20

I discoverd the same thing. They are doing something tricky: they just keep sending data. They keep sending data to you do something else. This way they know for how long you read the message, which is about the same time their program ran.

So, this is even more diabolical than I thought! They are also sucking bandwidth. Imagine a company deciding to use this (the intended market, I'm thinking), and that another company gets a lot of email from them. That is almost a denial-of-service attack! Lots ofo open connections and streaming data they did not ask for.

Thanks for playing though.

Re:I timed out

phillup on 2004-06-11T22:52:42

I loaded the URL with wget.

It is coming across at 1 B/s.

[waiting...]

Turned out to be 302 bytes large.

Re:I timed out

brian_d_foy on 2004-06-12T00:22:57

302 bytes, eh?

That would be about 5 minutes at 1 B/s, and they claim to measure times much longer than that. How long did it actually take? Did it get slower the longer it went on?

Re:I timed out

phillup on 2004-06-13T13:44:07

It was almost exactly 1 B/s the entire time.

I'd almost bet that they eventually count bytes transferred as the method of doing the timing.

We may actually be seeing wget, or some other part of the stack, giving up on the connection... the fact that it was almost exactly 5 minutes is suspect to me.

Anyone think I'll hear from the lawyers?

brian_d_foy on 2004-06-11T21:25:36

Now the referer on all of those clicks is http://use.perl.org/user/brian_d_foy/journal/19205

spammers do this

KM on 2004-06-11T21:55:15

Some companies who provide "ad campaign" services do this. Helps them track who reads what, and what email addresses are valid, and get rough geographical info on the reader/address. I once was speaking with a guy who owns an "ad campaign" service and he said they find that some people will bounce SPAM, but still read the email. Then, they know that even though a bounce came back, someone read the mail and the email is considered valid.

"Phone Home" for email. I dunno, not sure I would trust a service from a site which uses spammer tricks.

Here's what the report looks like:

brian_d_foy on 2004-06-11T22:09:53

http://www.panix.com/user/comdog/didtheyreadit.html

The only thing i have changed is the email address at the top, where I inserted "CENSORED".

I'm amazed that it works

drhyde on 2004-06-12T11:19:22

That anyone today still loads random images embedded in an HTML email baffles me.

Re:I'm amazed that it works

htoug on 2004-06-14T09:07:31

If you are forced to use MS Outlook, eg at work, then you have no choice. It will load the damn things no matter how hard you try to get it not to.

/me still trying to tunnel mails out of exchange without OutLook.