For the most part email has given way to a number of instant messengers (e.g. Facebook Messenger, WhatsApp, Telegram) as well as messaging through social media for most consumers. However email continues to be significant means of communication in the business setting.
What may not be well known is that email can be tracked very easily.
How is email tracked?
Use of HTML: Most emails use HTML to format an email so that advanced formatting and branding can be used. In the good old days, email was a text only messaging format, but as HTML is largely a text based markup language this is compatible with email. In addition the introduction of mime-types for binary objects (e.g. JPEGs, PNG’s, Video) allow for these to be encoded into the body of the email.
Attachments/Remote Images: When something is physically attached to an email it becomes part of the email. However, as HTML can also use the <IMG>…</IMG> tag to address a remote image that is downloaded when the email is opened, it is possible to track these downloads.
One particular technique is to embed a single pixel image into the email which will largely not be noticed by anyone. Once this image is downloaded by the email client the remote server can track whether or not you opened the email thus confirming your email address is live even if it went to spam. Code within the image can also be sent back to the remote server.
Read/Delivery Receipts: Another technique is to request a Read Receipt and/or Delivery Receipt. This is a signal that is sent back to the email server that indicates you opened the email and/or the email was delivered to its final destination. Most email clients can switch these features on and off and can also be programmed for automated email spammer bots.
Embedded Links: You will have all see these emails where they invite you to click on a link to find out more. These links often contain a hyperlink using the <a>…</a> HTML tag and the embedded URL can contain a lot of information especially your email address among others. Once you click on this link, you are tracked from that point by the web server serving up that web page.
Unsubscribe Here: You may also see a lot of emails, especially spam emails, that contain an ‘Unsubscribe Here’ kind of link. This often comes from spam emails where you have been automatically signed up for a mailing list without your knowledge, although some legitimate mailing lists also use this. Once you click on the link several things may happen:
- You will be unsubscribed – yey!
- You will be asked to confirm your subscription requirements effectively asking you to subscribe willingly to more mailing lists
- Nothing happens and you have just confirmed that your email address is actually live
- You get some malware downloaded (a problem for any link in an unsolicited email).
Email Headers: When you send an email the email headers also contain a lot of information about the service you are using, sometimes the email client and as a result the operating system you are using can be inferred. I don’t intend to go into this in details here as this will be the subject of another blog I am currently researching on Cyber Security Forensics.
How can I defend myself from my emails being tracked?
This article at ‘The Verge’ shows you how to disable automatic image downloads for several of the popular email clients. Doing this will stop the tracking related to image downloads, at the expense of formatting and visuals in the email. In most cases once you have determined it is a legitimate email you can download the images manually.
Enabling full Spam Protection on your email account will also force most spam emails into your Junk folder. Email clients treat Junk mail differently, but certainly in Outlook (mobile, desktop and web – the primary business email client) images, downloads and links are automatically blocked until you take action to move it from the Junk mail folder. Other clients have similar features, which you will need to research yourself.
Read/Delivery Receipts can be switched off in your email client. When the sender requests these receipts the email client can by default deny them or ask you to confirm if they should be sent (the setting I use). Some email clients enable this by default, others do not, so it is better to check your specific options.
Links are a particular issue, especially when an email is an attempt at social engineering. In this case you may receive an email saying your iCloud account is being suspended and you need to login to reactivate it. These emails are nearly always malicious and are trying to get your iCloud credentials (or any other service for that matter). The best policy is never to click on a link in an email (or other messaging service) unless you are expecting it. You are better off opening up your browser and going to the services website by entering the URL manually or from a bookmark (the best option).
These ‘Unsubscribe’ links are particularly nasty. The best way to avoid spam is to fully enable your spam filter and just ignore the email. Under no circumstances click the link in an email that you are not expecting.
This article at ‘How To Geek’ explains what are in the email headers. There is very little you can do here as these are populated via the email servers the email passes through on its way to you.
It doesn’t matter what you do, it is inevitable that you will be tracked when you use the internet. The only real way to avoid it is to use the TOR network and that comes with its own issues. I will be posting a blog on this at some time in the future.
The best defense is to be aware of what you are receiving and apply some common sense. If an email looks suspicious it probably is. If you flush a legitimate email as spam (e.g. from your Bank or a friend), and if is important, they will have other ways to get in touch with you.