UNIVERSITY OF HELSINKI
Department of Computer Science

E-mail tracking exposed

E-mail tracking is a method for monitoring e-mail delivery to intended recipients. Many e-mail based marketing tools include tracking as a feature. Such tracking is usually accomplished using standard web tracking methods known as web bugs or web beacons. When an e-mail message is sent (if it is technically a HTML message) the e-mail tracking system embeds a transparent 1 × 1 image with an unique URL within the content of the message. When you open a tracked message, the tracking image is accessed. This reveals to the tracker when that e-mail is opened, as well your IP address. It may also reveal your device type (PC, Mac, tablet, phone), operating system, its version, your mail reading tool and your language choice. Your service provider and your geographic location can be inferred on the basis of the IP address. All this happens without your knowledge—and perhaps more importantly—without any previous consent.

This sort of email tracking is much more common than you would expect. It is used by individuals, invasive e-mail marketers, spammers and phishers. It can be used to verify that e-mails are actually opened by recipients or that e-mail addresses are valid. When used maliciously, it can be used to check that e-mails get through spam filters or to collect confidential information about individuals and organisations. This endangers your privacy and, for example, enables spammers to create more effective spamming and phishing schemes.

To make users more aware of e-mail tracking, the mail system of the Department of Computer Science now adds a warning symbol like the one below to all e-mails arriving in cs.helsinki.fi mailboxes if they contain a tracking mechanism.

If you move the mouse cursor over the "evil eye" (try it) you can see the actual warning. This works in the Department's webmail using any mainstream web browser,1 in Thunderbird, and in many other popular mail programs.2 As neither the eye symbol nor the warning are images in the HTML sense, you can see them before you enable loading of the images in a HTML formatted e-mail. In the warning you can sometimes find the name of the tracking company in parenthesis. Clicking the eye symbol brings you to this page. The same warning information is present in a X-CS-Test-Tracker mail header.

Additionally we try to stop the tracking attempts by converting the assumed web beacons to local inline 1-pixel images. This prevents information leakage to the tracker. We do not preclude norm-abiding3 server level delivery notices or voluntary read receipts.

As tracking identification and prevention is not perfect, some web bugs might go unnoticed and there is a slight possibility that some legitimate 1-pixel images might be interpreted as pixel tracking. Sometimes the HTML of an e-mail can be so broken that it is impossible embed the warning. However, the information is always present in the mail header.

1 Chrome, Edge, IE, Safari, Firefox or Opera. You may have to refresh the webmail once with Ctrl-F5 or equivalent.
 2 Opera Mail, Postbox, Foxmail, Mailbird, Evolution, KMail, Apple Mail, Outlook for Mac, Android Mail, iOS Mail
 3 RFC 3461, RFC 3798.

— Petri Kutvonen, last edited January 2016