 |  | LrdVader
Premium
join:2003-12-18
San Diego, CA
| Re: Ummmmmmm ok. said by Logan 5  :
What's next? Forcing Microsoft to remove the delivery and read reciept notifications from Outlook???
That's far from the same thing. Any decent mail client will put in control of whether or not read receipts are sent. If you want to, you can be notified and prompted before any receipt is sent.
These tracking services use spammer-style web bugs and HTML tricks to convince your client to rat you out, even if you've chosen not to send receipts. There's a big difference between requesting a receipt, and trying to sneak one out without your knowledge or consent. | |
| | | hescominsoon
join:2003-02-18
Brunswick, MD | Re: Ummmmmmm ok. this can be easily defeated..in outlook/OE read all mails in text mode..in mozilla just tell it not to load remote images..problem solved.
--
God Blesshttp://www.emmanuelcomputerconsulting.com-- carpe ductum -- "Grab the tape" | |
| | | | | 
richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith
| Re: Ummmmmmm ok. said by nixen :
Even then, both sender and recipient must be in the same Exchange system.
I don't think so. I've sent stuff to my home e-mail address from work [and I always ask for a read receipt]. And when I got home & checked my e-mail, there it was, the receipt question. Now we are using exchange 2004 in work and I don't think my ISP is using the same and anyway, we're not on the same domain. | |
| | | | | | | | |
richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith | Re: Ummmmmmm ok.  You're right. I stand corrected. | |
| | | fonemann13
Premium
join:2004-05-10
Bloomingdale, GA | LOL I love your sig quote! | |
| | 
Logan 5
Technical Difficulties - Please Stand By
Premium,MVM
join:2001-05-25
The WasteLAN
 ·Pacific Bell - SBC
| said by lrdvader:
These tracking services use spammer-style web bugs and HTML tricks to convince your client to rat you out, even if you've chosen not to send receipts. There's a big difference between requesting a receipt, and trying to sneak one out without your knowledge or consent.
Any chance of some proof to back this statememt up? I have not seen anything to indicate that this servce is malware or spyware. I'm not saying that maybe it isin't those things, but so far it has yet to be proven because the article has scant real information...
Can you please point out to me where in their Terms of Use for the product that it states that they use spyware or spam tricks? »www.didtheyreadit.com/index.php/···#privacy
Here's a link to a support FAQ that talks about the LACK of spyware in the product: »www.didtheyreadit.com/index.php/···#spyware
--
"Many times a good overclock is nothing more than running an 'under-clocked' chip at it's true speed...." - L5, 7/3/04 | |
| | | bebenj1
join:2004-07-03
Pittsburgh, PA
| Re: Ummmmmmm ok. said by Logan 5 :
said by lrdvader:
These tracking services use spammer-style web bugs and HTML tricks to convince your client to rat you out, even if you've chosen not to send receipts. There's a big difference between requesting a receipt, and trying to sneak one out without your knowledge or consent.
Any chance of some proof to back this statememt up? I have not seen anything to indicate that this servce is malware or spyware. I'm not saying that maybe it isin't those things, but so far it has yet to be proven because the article has scant real information...
Can you please point out to me where in their Terms of Use for the product that it states that they use spyware or spam tricks?
Have someone send you an email through this service, retrieve it with an email client that allows you to view the /FULL/ source of the HTML message, and examine that message - you will see that it contains additional HTML tags that were NOT part of the original message.
If you check the FAQ section on the company's site, you'll find "Does it work with non-HTML mail clients" and the answer "in short, no."
A "webbug" is often a 1x1 pixel transparent GIF image. What happens, is that when the HTML document (email in this case) is actually viewed, the client software will retrieve that invisible image. When it retrieves it, the server that it retrieves from then knows that the particular bug being retrieved indicates that the message it was hidden in has been viewed, it will know the IP address of the viewer, what software was used to read the message, etc. (Try »showmyip.com and scroll down - this is all information that is available to a server when an HTML request is made)
In order to also know how long the message was viewed, a more complex approach is required, but the same basic idea holds - something non-visible is added to the HTML of the email message. (for the technically inclined, the only way to determine how long the email was open is to either have dynamic content, IE constantly updated as long as the message is open, or embed some script, IE using the onclose() trigger to reconnect to the server when the message view is closed)
j | |
| | | LrdVader
Premium
join:2003-12-18
San Diego, CA
| said by Logan 5 :
Any chance of some proof to back this statememt up? I have not seen anything to indicate that this servce is malware or spyware. I'm not saying that maybe it isin't those things, but so far it has yet to be proven because the article has scant real information...
Sure. Here's a thread from another forum where this service was discussed, including posted full source from a test message showing the web bug:
»www.emailaddresses.com/forum/sho···id=21830
This particular service seems to stop at web bugs, but they have competitors that are slimier. Here's a nice discussion, on the same forum, of readnotify.com, which provides the same basic service but uses dirtier tricks (includes links to some pages dissecting those tricks):
»www.emailaddresses.com/forum/sho···id=22267
said by Logan 5 :
Can you please point out to me where in their Terms of Use for the product that it states that they use spyware or spam tricks? »www.didtheyreadit.com/index.php/···#privacy
Of course they aren't going to say "We use spammer tricks!" in their own TOU. But they don't say they don't, either. The privacy policy says they don't keep copies of messages - which is probably true, since that's not the point of the service. The point of the service *is* to spy on message recipients on behalf of senders, so of course there's absolutely nothing in the policy to preclude that.
said by Logan 5 :
Here's a link to a support FAQ that talks about the LACK of spyware in the product: »www.didtheyreadit.com/index.php/···#spyware
That's really more a question of definitions than anything else. If you define "spyware" as being a program that gets installed on your computer and spies on you, then their statement is true. But note exactly what that statement is. They say that the product doesn't contain spyware, not that it doesn't spy.
It's also worth noting the wording of the rest of that answer: "We respect the privacy of our users." Once again, strictly true, but misleading. They respect the privacy of their users because their users aren't the ones being spied on. They don't say a word about the privacy of the recipients of their bugged messages, since they're in the business of violating that. | |
| | | 
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
edit:
July 3rd, @11:49PM
| From their website it sounds invasive enough for me:
»www.didtheyreadit.com/index.php?···&affad=1
quote:
When you use didtheyreadit, every e-mail that you send is invisibly tracked without alerting the recipient.
But when they read your message, you will immediately receive the following information:
1 When, exactly, your email was opened.
2 How long your email remained opened.
3 Where, geographically, your email was viewed.
If you read the ruling, the basis is that the user doesn't know the tracking is going on, can't refuse the tracked email and have it returned to sender, and that personal information is gathered, recorded and transmitted in violation of French law.
As the others noted, MSOE, Netscape email, and other email clients let you know when you are about to open a tracked email, or let you have the option of sending an acknowledgement or not. And those acknowledgements only reveal that the email was opened.
So using didyoureadit's service is illegal for French residents, businesses and organizations.
If didtheyreadit is doing something milder in the USA or UK, why are they being so invasive and secretive in France?
And if didtheyreadit isn't being so invasive and secretive in France, how could their legal team have messed up so badly presenting the evidence to the court?
More likely didtheyreadit's website is was created to fulfill marketing objectives just like the websites of most companies, and is omitting details.
I'm sure their legal team did the best job they could of putting the best appearance on didtheyreadits services. And inspite of that, the prosecution was able to successfully make the case that the service contravened French laws on privacy and data protection.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) | |
| |
Logan 5
Technical Difficulties - Please Stand By
Premium,MVM
join:2001-05-25
The WasteLAN
·Pacific Bell - SBC
| bebenj1: So what if you have outlook 2003 set to automatically block the display of images in the preview pane? Would it not then block the webbug and defeat the purpose of this program?
Also, even if it does contain HTML tags that are not as you say part of the original message, how are they spy or malware?
I thought that the tracking feature was how this software worked..
Or are you saying that anyone who uses a webbug or adds extra HTML code to an email message is a spammer or ???
--
"Many times a good overclock is nothing more than running an 'under-clocked' chip at it's true speed...." - L5, 7/3/04 | |
| | | LrdVader
Premium
join:2003-12-18
San Diego, CA
| Re: Ummmmmmm ok. said by Logan 5 :
Also, even if it does contain HTML tags that are not as you say part of the original message, how are they spy or malware?
Neither of us ever said that those HTML tags were spyware; by most definitions of the word, they aren't. They certainly *are* being used to spy on people, though.
said by Logan 5 :
Or are you saying that anyone who uses a webbug or adds extra HTML code to an email message is a spammer or ???
Again, the assertion was not that all users of this service are spammers. Most of them probably aren't. It was that users of this service and other services like it are using some of the same tricks that are frequently used by spammers to track their victims; which they definitely are. | |
| |
Logan 5
Technical Difficulties - Please Stand By
Premium,MVM
join:2001-05-25
The WasteLAN
·Pacific Bell - SBC
| Outlook 2003 also has the "Display HTML images in email messages" feature disabled by default. It's prompts you if you want to d/l images from messages and warns yoou that you can still be tracked if you accept them.
--
"Many times a good overclock is nothing more than running an 'under-clocked' chip at it's true speed...." - L5, 7/3/04 | |
| 
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
 ·Comcast
| France? Since when do politicians understand computers enough to make any legislation that affects it. France has other bigger problems...
I mean, really, people will still use the software, or simply stick some web-bugs into their e-mail. Legislation or not...
--
Touch a thistle timidly, and it pricks you; grasp it boldly, and its spines crumble. -William S. Halsey | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | Re: France? Let us explore the logical consequences of that line of logic.
People still kill people, legislation or not. So why have laws against murder?
Legislation stops some people. It is the same thing. | |
| 
MEDIAN2k3
THIS IS A 91 HONDA HOW DARE YOU
Premium
join:2002-12-04
Bronx, NY
clubs: | aol? doesnt aol have some of these abilitys with their email client? | |
| Zorglub
join:2000-11-18
Fremont, CA
| Okay, I read the French article The CNIL (acronym for National Commission on Information Systems and Liberties) says that the collection of personal information such as name, OS, etc. without the consent of a person is illegal under French law. Apparently, the service in question tracks e-mail and collects informatin on the recipient behavior/personal information without the recipient's knowledge.
They then go on to say that the use of said software by a company or person located in France is illegal under French law.
I don't see anything earth shattering there. Now, as we all know, a lot people will probably break the law and nobody will care until somebody gets caught and fined heavily. | |
| | | | | Zorglub
join:2000-11-18
Fremont, CA
| Re: Okay, I read the French article I don't think you understand their law. The point is that it's illegal over there to collect personal information about anybody without their consent. It's a very strong privacy law, some of which we could use out here where anybody can get your SS and other personal info for $50 on the net.
However, it has nothing to do with e-mail biting...  | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | CWS far less invasive of privacy than this People in the BBR security forum volunteer hours every day trying to fight spyware and hijackware that is far less invasive of personal privacy than this service. | |
| 
rstrandb
Premium
join:2003-04-17
Albany, GA | So I guess certified mail is illegal too? Hooray for the French, good thing I live in America. | |
| | | | | r0x0rz
join:2003-03-02
Canada
| Re: So I guess certified mail is illegal too? said by KALIROB2k4 :
If they cant deal with it maybe they shouldnt get on it
So you would rather just allow spammers and those working with them to grow and grow without even attempting to slow them down? Anything that makes those companies not able to aquire information without my knowledge is a good thing to me.
Nice move by France | |
| | | | | | | | | | |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| Re: Um.... take a peek how it works.... Yes.
quote:
When you use didtheyreadit, every e-mail that you send is invisibly tracked without alerting the recipient.
But when they read your message, you will immediately receive the following information:
1 When, exactly, your email was opened.
2 How long your email remained opened.
3 Where, geographically, your email was viewed.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) | |
| | | | | 
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Re: Um.... take a peek how it works....For what it's worth, I did sign up for a test account and sent myself a message. The email came with the following embedded in it:
<br><img src="http://didtheyreadit.com/f253ed7b9202ad099bbda626ce87064eworker.jpg" width="
*1" height="1" />
(*) WARNING 1 long line(s) split
Received: from dtri1.rampellsoft.com (dtri1.rampellsoft.com [69.90.152.224])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.testdomain.com (Postfix) with ESMTP id A15274E427
for <spammenot@testdomain.com>; Sun, 4 Jul 2004 14:47:01 -0400 (EDT)
Received: from dtri1.rampellsoft.com (localhost.localdomain [127.0.0.1])
by dtri1.rampellsoft.com (8.12.8/8.12.8) with ESMTP id i64ImoLx029445
for <spammenot@testdomain.com>; Sun, 4 Jul 2004 14:48:50 -0400
At any rate, you can either firewall out the appropriate connections, add their mail servers to your mailserver blacklists, or set your mail server to do a body check and do an auto-bounce whenever it receives something such as the above.
Me? Currently, the anti-SPAM tools installed in my mail servers already strip out the offending code (thanks MIMEDefang ). I may or may not decide to get more rude with my processing, depending on whether or not I start seeing much of their bugging show up in my logs. If I start to, then I'll simply start auto-bouncing the bugged emails.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
| 
dervari
join:2000-01-17
Atlanta, GA
clubs: | Just say NO Set your firewall policies to deny http to didtheyreadit.com
Problem solved. | |
| | | | | 
Karl Prince
@co.uk
| Re: Just say NO I block them at the mail server using the »ahbl.org blocking list which has added the didtheyreadit.com servers to their list.
This blocking list can also be used by anti spam software (eg spamassassin) to get the same effect.
One of their addresses is 69.90.152.225, so you could also just black their whole network at the router / firewall
Rusko enterprises PEER1-RUSKO-06 (NET-69-90-152-0-1)
69.90.152.0 - 69.90.152.255
Be careful out there | |
| | 
RR Conductor
RailRoadDude
Premium
join:2002-04-02
Redwood Valley, CA | Thanks dervari, didtheyreadit.com is now blocked in my Netgear WGT624! Take that ya sneaky peeps! | |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
edit:
July 3rd, @11:26PM
| I've cleaned up the translation--it is fair Zorglub is right, most of the people who hang out in the BBR Security Forum and other security forums elsewhere on the Internet would applaud this action by a court -- if it were a US court.
quote:
The American corporation, Rampell Software, has been marketing a new service for tracking electronic entitled mail "Did they read it?" (in French « THE did THEY read? ») since the end of May. This service allows subscribers to determine if addressees of their electronic messages have read, when they read, how many times they read the message, and whether the addressee forwarded the message. The subscriber can also determine the web browser and operating system used by the addressee.
The process occurs completely without the knowledge of the addressees of the electronic messages. In contrast with conventional email software, the addressee does not have the choice of accepting the tracked email, or refusing read the email and letting it return to the subscriber of "Did they read it?". The addressee doesn't even know the tracking is going on behind the scenes.
On principle, the CNIL can only to rule against such a process: The collection and recording of such personal information and transmitting detailed information on the personal matter of how the email was handled by the addressee. Such collection carried out without the knowledge of the addressee, contravenes the data protection law of January 6 1978, precisely of item 25, relating to data processing, that forbids the collection of personal data in ordinary circumstances, without permission or secretly..
The CNIL notes that the breaking of this law is punishable by five years imprisonment and a fine of FF300,000(item 226-18 penal code).
Consequently, CNIL warns French businesses, administrations and the general public that it is illegal for French residents to subscribe to "Did they read it?".
I hope Canadian and US courts rule similarly about this and other spyware.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) | |
| 
mohito
Premium
join:2003-09-29
New York, NY |  It's France, did you expect otherwise?
| |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| What I Particularly Dislike Is... All other issues aside, the fact that email sent to me via their subscribers has to transit their mail system. That means, if they want to (and this would definitely help them support their service), they could gather lists of "known good" email addresses and sell them to SPAMmers. Even worse, since the mail has to go through their systems, they could retain copies, eventually alter emails by adding targeted marketing based on message content (a la GMail), or worse.
Nosir, I don't like it. It would almost have been better had this only been some kind of mail client plug-in. That way, it could locally alter the message, putting the tracking bugs in before sending, rather than having to pass through their servers. As it is, even if my mail client defeats their tracking bugs, an AWFUL lot of other information is still in their hands.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
| | | |
|
|
Did They Read It?
Ummmmmmm ok.
I totally agree its not right, but I mean bugs like this and spyware are just facts of the internet now. If they cant deal with it maybe they shouldnt get on it.:p