PGP CTO Blog

What's next? Spyware for Email
28 Jun 2004

There's a new service that automatically embeds spyware into email called "DidTheyReadIt.Com." If you sign up, you send someone a message and just append “.didtheyreadit.com” to the end of the address. So, for example, I might address an email to jon@pgp.com.didtheyreadit.com, and the message is then processed by the service.

The company's website tells you when someone read this email, and optionally notifies you via email when that happens. It will also (allegedly) tell you how long someone was reading it. It will even tell you the physical location of the ISP they read it from (with a link to a Mapquest map), the operating system they are running, the mail client they're using, and the language on their computer.

DidTheyReadIt.Com will let you track five emails a month for free. You can track unlimited emails for $50 per year.

How it works
The premise is simple. They put a very small (1x1 pixel) picture in the mail message, and when your mail client gets the picture, they know the IP address you read it from as well as any information the HTTP client you use (which is embedded in your mail client) sends them. The IP address, combined with WHOIS information on the Internet, can give them the geographical information.

Here's an example of a URL they embed in a message:
http://didtheyreadit.com/index.php/worker?code=...

The image is trickled slowly to the reading program, and that's how they get reading duration information. It's not overly accurate in a lot of cases. For example, I opened the URL directly in my browser, and the spyware told me that I read it for 2 minutes and 1 second, which was about how long it took them to trickle it to me in spite of the fact that I'd already had that browser window open for several hours.

How to defend against it
The simplest way to defend against this sort of spyware is to set up your email client so that it doesn't automatically load pictures. If you haven't done this already, do it now. Not only do spyware people use this approach, but lots of spammers play a similar trick. They put URLs of pictures in the spam, and these URLs encode your email address. If you load the picture, then the spammer knows that your email address received their spam and that you read it. Then they can sell you as a verified address to other people, who will also send you spam. If for some reason you feel you don't get enough spam, of course, then you should automatically load pictures. If you don't load their picture, however, then they can't spy on you.

If you run an email server, or know the people who run yours, the messages will come from the sending domain "rampellsoft.com," and you can block on that. The domain rampellsoft.com translates to the IP addresses 69.90.152.224-226, so you could block those as well.

Turning the tables on them, you can see the information about their hosting at this URL:
http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-69-90-152-0-1

This site includes address information and a phone number--probably for some poor admin who's not directly responsible--but hey, why not call or write anyway if you're offended by this whole thing?

Why spyware is bad
One of the things we teach adolescents is that just because you “can” do something doesn't mean you “should.” People “can” throw a brick through a plate glass window, read another person's diary, slip into someone else's office and look at his or her email, or count the number and kind of bottles in a neighbor's recycling bin. None of these are particularly mature things to do.

Unlike a return-receipt, DidTheyReadIt.Com is completely sneaky. It may run afoul of the California and U.S. anti-spyware laws; then again, it may not, given that it uses a bugged image rather than actual software. I still think that each instance would give the recipient of an email message a good small-claims lawsuit in California or elsewhere in the U.S. Obviously, a court might have a very different opinion, however.

Regardless of the legality, I think this sort of “service” is reprehensible. It is an inexcusable intrusion into someone else's business.

Duran, Jorna, “Email tracker: Invasion of privacy?” May 21, 2004

English, Simon, “E-mail tracker firm sparks fears over internet security,” May 25, 2004

Maney, Kevin, “Now they'll know if you read their email,” May 20, 2004

Olsen, Stephanie, “Tracker keeps tabs on your e-mail,” May 21, 2004