How to track mail undetectably?

15

7

As far as I have searched, there are many third-party email tracking systems; and many of them are in the form of add-ons for gmail.

I have tested two of them, and they work fine when the recipients are using gmail or yahoo web clients. But when they use MUAs (Mail User Agents) like Outlook or Thunderbird, a warning message is shown that a "remote content is blocked", and as a result, no delivery report is sent. They can open the emails without any notifications.

Is there a way to track emails undetectably, so no one can detect that emails are being tracked?

I should mention that I am only concerned about the mail being read, not gathering data.

Sd Hosseini

Posted 2019-06-27T20:00:05.537

Reputation: 285

3

Mozilla may block the tracker in Gmail; see Content Blocking in Mozilla support. My guess is, you did not test Gmail under the configuration. Some stuff stops working as expected with Content Blockers, like reading articles online. I often get an [incorrect] message stating "Enable ads, please" when I really blocked a tracker. That is the price we pay to stop unscrupulous miscreants who attempt to abuse users.

– jww – 2019-06-28T06:10:20.990

32Many client developers would consider the existence of such a mechanism as a serious bug and work to prevent it. – pjc50 – 2019-06-28T08:25:55.133

2Why do you want to do this? – Thorbjørn Ravn Andersen – 2019-06-28T14:27:09.783

1You can track if a mail is delivered (and when) e.g. if you own the SMTP. If the mail is a link to a page you own, well it can be tracked in the meaning that if you own the server you can know when that content was requested (and from which IP)... So indirectly you know it was read. – Hastur – 2019-06-28T15:29:13.473

22The "undetectably" part is the problem. You should not be attempting to trick or deceive your users. Such behavior is why software has to work so hard to prevent such malicious activity. If you really want to know if somebody read your email, "ask" them, whether manually or with automated tools. The fact you are trying to do it in a clandestine manner is what puts you in opposition to end users and the software that is designed for them. If you remove that requirement, you may have better options. – DKing – 2019-06-28T15:30:24.817

8The main motivation I can think of for wanting to do this undetectably is if someone is a spammer. They want to find out which emails on their mailing list are actually going to a recipient, and they want it to be automatic and undetectable because their interests are inimical to those of the recipient. – Ben Crowell – 2019-06-28T18:18:35.550

Why should a read confirmation from the recipients be illegal or intrusive? Many instant messaging applications show read status for the massages by default. If someone don't like this feature, he can disable it, and it will disabled for his sent messages also. Knowing that your sent mail is read or not, is the sender right. The recipient should reply, or even acknowledge that the mail has recieved: whether he want to answer or not. – Sd Hosseini – 2019-06-29T14:00:49.773

1

It is worth noting that Outlook supports email tracking natively (https://support.office.com/en-us/article/add-and-request-read-receipts-and-delivery-notifications-a34bf70a-4c2c-4461-b2a1-12e4a7a92141). It isn't "undetectable", but it does the advantage that when the reader opens the message, instead of being told about "unknown content" that could read their social media passwords and suck blood from their firstborn babies, they will be told that they got a read receipt and know exactly what it is.

– TheHansinator – 2019-06-30T07:04:46.500

2@SdHosseini This simply isnt the case, if you instead wrote paper letters and mailed them to these users you would not know if they had recieved them (save for a service like requiring a signature, but even that isnt reliable as a secretary could sign for it but it could still get lost after that, plus the user would know you had done so.) there is no implicit right to know if an email reached its destination any more than there is for a letter. (Its an extra service, optional and the recipient knows you used it) – Vality – 2019-06-30T17:37:56.780

1Deeply unethical question. – iono – 2019-06-30T21:46:45.657

Answers

76

Is there a way to track emails, so no one can detect that emails are being tracked?

No.

If email is tracked it must communicate that information somewhere and therefore must leave a footprint of some kind.

You can use such tricks as a unique image (i.e. the image is only in the email to one recipient ever) and watching the web server to see if the image is accessed, but this will only work if the user loads the images in email, which doesn't always happen, which you've experienced with thunderbird. How much content is loaded is decided by a users settings and so isn't something you can control.

Some companies will provide a link in an email 'can't read this email? click here to view online' which is basically the same thing, but instead of a image online they present the entire emails content again, under the guise of 'helping you' when in fact it's all about tracking you.

DavidPostill

Posted 2019-06-27T20:00:05.537

Reputation: 118 938

34Should be noted that image access is definitely not an indicator of read status, because some email clients (including the rather popular Gmail webapp!) will download images before emails are opened. Sometimes, without the user ever logging in or maybe even existing (for caching/antispam/antivirus purposes). – Bob – 2019-06-28T04:58:21.147

7Note that while gmail does display images in emails, they are not pulled from external servers, but from Google's own cache. Most likely for this particular reason, to prevent tracking. – Marandil – 2019-06-28T06:15:30.173

3@Marandil But those images must have been pulled from the external server in the first place to get into Google's cache. – TripeHound – 2019-06-28T07:13:07.563

6@TripeHound But, as noted by Bob, the fact that the image was pulled says nothing about the time it was opened, whether it was opened, and even whether the recipient account exists. – Xan – 2019-06-28T07:29:33.293

@Xan Agreed: it will tell the sender when it got to Google's servers (i.e. when it grabbed the image to cache it) not if/when it was opened by a human. Depending on what Google does with emails for non-existent accounts, it's possible that the sender can tell an account exists (e.g. if Google throws away such messages and doesn't inspect/download images etc.). – TripeHound – 2019-06-28T07:36:31.470

2

I think Google only fetches and caches the image when you open the e-mail. So you can still use embedded images to learn if someone opened an e-mail, but you at least can't find out anything from the request headers (e.g. what browser they are using, etc.) (citation: https://support.google.com/mail/answer/145919?co=GENIE.Platform%3DDesktop&hl=en)

– Ben Millwood – 2019-06-29T11:18:56.280

21

Short answer: No.

Longer answer:
The feature to load remote content only after the user allowed it, is mostly implemented to protect your privacy. Of course there are effects like less data usage and maybe some people do not want to have so many images in an e-mail, but the main reason for this feature is data protection.
When there would be a way around this (a feature for you as sender and person who wants to track the e-mail), this would be a bug in the protection feature and the mail program developer would hopefully fix it as soon as possible.

So what you're asking for is a hack or exploit, that allows you to circumvent security measures in the client software. There may be answers for specific softwares, but all of them would be security bugs in the software and may get closed sooner or later.

Another remark:

Is there a way to track emails undetectably, so no one can detect that emails are being tracked?

Don't you think, that this behaviour is kind of sneaky? It may even violate GDPR. If you want delivery reports, just ask the user for it.

There is even a feature in the e-mail standard for it, that should be GDPR compliant, because the standard says, that e-mail software should ask the user before sending the report. If you want an unified UI across different mail programs, add a link "Please click here, to confirm that you received the message".

allo

Posted 2019-06-27T20:00:05.537

Reputation: 731

Asked: 2019-06-27T20:00:05.537

Viewed: 5 156 times

Active: 2019-07-05T09:08:47.540