Monday, June 9, 2008

E-mail Tracking -The Truth Is Revealed

by: Bruno Ligutti

Have you ever wondered whether your boss, coworkers or family read your e-mails? Well, now you can track your sent e-mails.

In fact, there are many approaches to e-mail tracking. We all know the "read-receipt" system, in which you send an e-mail requesting a read confirmation. When the recipient reads your e-mail, he or she is asked by the software, "Would you like to confirm you received this e-mail?" Then the recipient may choose "No", and we will never get a confirmation. So it is an honor system, and there are some cases in which we cannot trust the recipient.

Other approaches have been implemented by corporate e-mail systems, such as IBM Domino. Recipients are not asked to confirm the reception so confirmations are always sent –provided that the e-mails are actually read-, but it works only for corporate recipients and not for external people.

The tracking system I will describe next is "hands-free" and works for almost every e-mail system. It is analogous to a package-delivery system –we ship a package, and the system gives us a number for keeping track of it. Before getting technical, let me point out that you will need a server –but in case you do not have one, you can always use our already-developed system.

Let’s assume we would like to ask our boss for a rise –that’s a common case in which the recipient cannot be trusted. So the system generates an ID for our e-mail, and stores it in the server’s database. When we send the e-mail, this ID is sent along with it.

What is the idea? Well, the ID identifies our e-mail. When our boss reads it, the ID is "passed" to our server. So the server gets the message, "The e-mail sent to the boss is being read." From there, the server may proceed in many ways, such as storing the date and time, and our boss’ IP address. It can even notify us to our e-mail address and cell phone!

How is the ID "passed" to our server? When our boss reads our e-mail, we just saw that the e-mail needs to "call back" the server with the ID. This is achieved by passing the ID in the source of an image.

Going back to our basic HTML lessons, the image’s src attribute specifies the image’s address. So if we insert an image in our e-mail, and we let its source be ourdomain.com/ourlogo.gif, then our boss’ e-mail client gets that image and shows it to him. That is, the e-mail client "calls" our server at ourdomain.com and requests the image ourlogo.gif.

The trick is to have a special page on our server, which receives the ID, stores the tracked data and notifies the sender, and finally sends back an image –this is achieved by server-side scripting, offered by frameworks such as Microsoft .NET. So we insert a 1x1 hidden image in our e-mail, and let its source be ourdomain.com/ourpage.aspx?ID=0123. ourpage.aspx is our special page, and ID=0123 identifies our e-mail sent to our boss.

The page gets the ID and checks it against the database –recall that the ID is stored in the database. Then it updates the database, and notifies the sender of that particular e-mail. Furthermore, the page can get the recipient’s IP address, which can reveal his or her geographic location and many more details. And finally, the page sends back a 1x1 transparent image, which is shown to the recipient.

This is a "hands-free" system given that the recipient is never asked to confirm the e-mail’s reception –in fact, he or she does not even realize the e-mail is being tracked. Thus, this system has been accused of compromising users’ privacy, and has caused the redesign of e-mail clients and services –which now allow users to disable images on received e-mails.