This is one of the saddest and most orwellian aspects of today's marketing. Even if you run a tight ship, your friends are bombarded with just as much force to give up not just their information, but yours as well, undermining your efforts.
A lot of people simply don't understand what little integrity email actually has.
People like to think that they can rely the sender address as an unspoofable source of truth, and do not understand that the message is just a text file, and you can make it say anything you want.
No one inspects the delivery servers or the message routing, and even that can be sufficiently obfuscated.
Using too-big-to-fail services like gmail, that attempt to provide analysis and alert you to suspicious patterns is nice, but it doesn't solve for the actual realities of handling email. Furthermore, if there were one email ring to rule them all, we'd be haunted by a more ominous problem.
Still, the level of confusion and misperception about common technology, and what is and is not possible, is clearly as big a problem on its own. It sucks that people are left with such superstitious paranoia, because they don't understand how naked they actually are.
What patterns? This doesn't have any obfuscation it's basic web for.... A long time now.
What are email providers supposed to be solving here? The reality is as an individual it's up to you how your mail client behaves and what emails you decide open or not... The hidden reality of the email situation for on the sender side is that it's getting increasingly hard to even send mail as an avg entity instead of outsourcing the problem to google/aws/mailchimp/whoever and that's not an accident.
As for your mail: almost every marketing/transactional/non-personal you've had over the last few years will have 'completely unique to you and that /specific/ message' urls for things like the images (if they're not inlined), tracking pixels, and especially the links you can follow from the mail which allows the marketers/esp's to see who has opened it, who clicked, who didn't and so on. If there's html/js allowed then we'll be watching which parts your mouse hovers over, how fast you scrolled, which parts you actually read and so on. Do a tcpdump while you read some mails from amazon or someone and see what you find when you move your mouse around.
Hopefully that isn't news to anyone. This has been happening for ages. If a non-transactional mail is going to 100k people then for example the banner image at the top will have 100k urls the webserver will serve it which is how you track that stuff without cookies..
To explain further, mails more often than not today are viewed in a browser (even the 'fat' mail apps like mail.app or I presume outlook use 'embedded browsers/web views' which are the same) these all happily send the cookies you've got kicking around from your normal sessions for those domains on the images, which, are then matched up with whatever else you'll do on said site (or even better, if the tracking is coming from a diff domain and multiple sites use the same provider then we'll be tracking you across a lot of dofferent places (see: omniture, google, etc) -- generally a MSP/tracking provider can't give a client access to what a user in a given segment might be upto on sites that they don't own, but the SP certainly knows and the biggest one also controls a lot of the ads...).
What's one email ring?
edit: Email providers do have some protections too, though. SPF has been around for ages which if you're not the MX ip and don't have the record for the domain you're FROM'ing gets you on bumped up the process of making the shitlist on the big MX's at least (gmail, hotmail, whoever). Finally getting listed means they won't accept mails from that IP for 24 hours (I assume it's 24 hours simply because it'd be insane to sustain an actual blacklist longer than that on the scale things are today, and that stops people having to request removal after hacks or whatever..
Things are getting better with DKIM and DMARC too...
The email message contents say the sender
is joe@example.com but the originating
mail server is owned by advertiser-d00dz.net
and was routed through cdns and isps that
example.com is not known to operate, based
on a wide swath of reliable analytics from
several million other messages previously
processed and known to be legit example.com
messages.
Those are patterns that very large email providers know about.
But if you are running your own mail server, and using squirrel mail, you, a lone individual cannot analyze mass traffic patterns.
One Ring To Rule Them All:
Everyone only uses gmail, and there is no
other provider, resulting in monoculture,
and we all get spied on, not just by the
NSA, but The Corporation too, but at least
there's no spam. That last guy that tried
spamming was turned into soylent green.
As for pixels, uh, images don't automatically load for all people. I haven't permitted a banner image to load in eons.
I also don't visit links that I cannot understand, especially for domains I don't recognize, but that's because I know better.
Yes, yes, cookies, web mail, javascript, event bubbling and capturing, hovering, ajax, json, oh noes. I get it. We get it. We all get it. But grandma does not.
Google's big, sure, but they're not the only show in town (comscore's yearly thing is pretty easy to google0.
The patterns bit isn't really how this works. There are no real analytics being done on the messages coming in from example.com to check if it's from 'the same place as it normally is' in that manner. It would require enormous resources and that problem was solved by SPF way back in the 00's (or before).
Your Example.com will usually delegate a subdomain (dns) to a big mailer (like mailchimp, sendgrid, j33t-haxx0rz.ru or whoever) if they're going to be doing a lot of mails. The delegate will create/maintain a load TXT record (that's SPF) which is really just a list of hostnames (like 'mailer1.foo_emailcompany.com') which then have sort of proved that they are authorized to send mail as foo.example.com. The mailservers at google or wherever which then recieve these will lookup the txt records for the sender as part of their spam scoring mech during the mail arrival, and will use it as part of the scoring mech (but not the complete one).
Your big mail proivders will be using 1000's of IPs to do a single mailing at times, so there is really no other way this sort of thing can work. DKIM uses a similar approach but utilizes signing to get there..
edit: also, probably <1% of people don't/won't view images in their mails, which is sort of the point here regardless of what we personally do......
> also, probably <1% of people don't/won't view images in their mails, which is sort of the point here regardless of what we personally do......
I mean, I just use hotmail. Have done for 15 years probably. If Microsoft judge the email to be dubious they won't load any of the non text content unless I tell them to.
I assume that google or yahoo or whatever other email host does the same thing.
Whoa. I'm really not even sure if that's satire or not which is pretty good going..
Such a statement, here of all places, really has to be; but maybe I've been awake for too long and, as a result my faith in general sanity has run too low for me to be totally sure you don't actually mean it...
Bravo at least for making me question myself before replying!
On the off chance you're being genuine.. Ye.. Wha.. Yo.. Er. Christ. I mean. Aww.. Er. Really? Er. head pat.. And I guess, err, sorry... Things are much, much worse than you imagine and we should all be paying more attention to where this is going.
Oh, I'm just talking about how things work at the moment with tracking etc (source: I built a system which does this sort of thing on a decent scale).
Maybe we'll get to cyberpunk distopia you describe later tho :}
That 'what if', btw, is actual reality these days if you replace 'corporation' with 'government'.
While any given provider might get huge, the distributed nature of this thing we made really means the only folks who can realistically obtain the sort of 'total' power which such a monopoly would create are the state actors; and they're already doing this. We all watch the news, right?
It seems like we're talking about different things, or maybe I'm just not really getting your point. The problems we have are not this theoretical push towards massively powerful orgs (which is a thing, sure) -- but the govts which are inside all of these guys.
Either way, we're too late to do much about it I guess.
I'll be over there with the tinfoil hat and no social media accounts :P
They send a different URL to each person, encoded with an identifier that has the email built into it.
Alternately, there are advertising companies that do web page -> email retargeting by buying data from companies that have your email address and correlating it with cookies in your browser.
"just from you clicking a link in your email"
I first thought this was sarcastic. People here genuinely didn't know that whenever you just open(look at) an email, you risk sending a ping to an 'image-content' server?
Siri can understand what you say. I'm not saying the person was right, but is it really far fetched? IIRC gmail already targets ads based on your email content (ie conversations).
facebook was found to be doing the same thing. Voice is just some data, companies have teams of engineers working on efficiently extracting that datastream and using it to sell you ads.
Orwell never predicted we'd be paying for the always on microphones to be installed in our homes ourselves, and be happy about them.
It seems most folks don't even see or care about where it's leading us.
Personally? It's almost ostracising to express strong opinions on this sort of thing even to our tech peers.
If you've also worked on tech which provides or enables this sort of invasion, then its hard for us not to really care about how we're doing nothing to stop it or to understand why we're not more angry.
Trying to get a dialogue going on it just makes people think you're a step away from being the crazy person with the tinfoil hat...
25 comments
[ 2.6 ms ] story [ 71.6 ms ] threadI'm curious. How did the furniture company get your email address, just from you clicking a link in your email? Anyone?
People like to think that they can rely the sender address as an unspoofable source of truth, and do not understand that the message is just a text file, and you can make it say anything you want.
No one inspects the delivery servers or the message routing, and even that can be sufficiently obfuscated.
Using too-big-to-fail services like gmail, that attempt to provide analysis and alert you to suspicious patterns is nice, but it doesn't solve for the actual realities of handling email. Furthermore, if there were one email ring to rule them all, we'd be haunted by a more ominous problem.
Still, the level of confusion and misperception about common technology, and what is and is not possible, is clearly as big a problem on its own. It sucks that people are left with such superstitious paranoia, because they don't understand how naked they actually are.
What are email providers supposed to be solving here? The reality is as an individual it's up to you how your mail client behaves and what emails you decide open or not... The hidden reality of the email situation for on the sender side is that it's getting increasingly hard to even send mail as an avg entity instead of outsourcing the problem to google/aws/mailchimp/whoever and that's not an accident.
As for your mail: almost every marketing/transactional/non-personal you've had over the last few years will have 'completely unique to you and that /specific/ message' urls for things like the images (if they're not inlined), tracking pixels, and especially the links you can follow from the mail which allows the marketers/esp's to see who has opened it, who clicked, who didn't and so on. If there's html/js allowed then we'll be watching which parts your mouse hovers over, how fast you scrolled, which parts you actually read and so on. Do a tcpdump while you read some mails from amazon or someone and see what you find when you move your mouse around.
Hopefully that isn't news to anyone. This has been happening for ages. If a non-transactional mail is going to 100k people then for example the banner image at the top will have 100k urls the webserver will serve it which is how you track that stuff without cookies..
To explain further, mails more often than not today are viewed in a browser (even the 'fat' mail apps like mail.app or I presume outlook use 'embedded browsers/web views' which are the same) these all happily send the cookies you've got kicking around from your normal sessions for those domains on the images, which, are then matched up with whatever else you'll do on said site (or even better, if the tracking is coming from a diff domain and multiple sites use the same provider then we'll be tracking you across a lot of dofferent places (see: omniture, google, etc) -- generally a MSP/tracking provider can't give a client access to what a user in a given segment might be upto on sites that they don't own, but the SP certainly knows and the biggest one also controls a lot of the ads...).
What's one email ring?
edit: Email providers do have some protections too, though. SPF has been around for ages which if you're not the MX ip and don't have the record for the domain you're FROM'ing gets you on bumped up the process of making the shitlist on the big MX's at least (gmail, hotmail, whoever). Finally getting listed means they won't accept mails from that IP for 24 hours (I assume it's 24 hours simply because it'd be insane to sustain an actual blacklist longer than that on the scale things are today, and that stops people having to request removal after hacks or whatever..
Things are getting better with DKIM and DMARC too...
But if you are running your own mail server, and using squirrel mail, you, a lone individual cannot analyze mass traffic patterns.
One Ring To Rule Them All:
As for pixels, uh, images don't automatically load for all people. I haven't permitted a banner image to load in eons.I also don't visit links that I cannot understand, especially for domains I don't recognize, but that's because I know better.
Yes, yes, cookies, web mail, javascript, event bubbling and capturing, hovering, ajax, json, oh noes. I get it. We get it. We all get it. But grandma does not.
The patterns bit isn't really how this works. There are no real analytics being done on the messages coming in from example.com to check if it's from 'the same place as it normally is' in that manner. It would require enormous resources and that problem was solved by SPF way back in the 00's (or before).
Your Example.com will usually delegate a subdomain (dns) to a big mailer (like mailchimp, sendgrid, j33t-haxx0rz.ru or whoever) if they're going to be doing a lot of mails. The delegate will create/maintain a load TXT record (that's SPF) which is really just a list of hostnames (like 'mailer1.foo_emailcompany.com') which then have sort of proved that they are authorized to send mail as foo.example.com. The mailservers at google or wherever which then recieve these will lookup the txt records for the sender as part of their spam scoring mech during the mail arrival, and will use it as part of the scoring mech (but not the complete one).
Your big mail proivders will be using 1000's of IPs to do a single mailing at times, so there is really no other way this sort of thing can work. DKIM uses a similar approach but utilizes signing to get there..
edit: also, probably <1% of people don't/won't view images in their mails, which is sort of the point here regardless of what we personally do......
I mean, I just use hotmail. Have done for 15 years probably. If Microsoft judge the email to be dubious they won't load any of the non text content unless I tell them to.
I assume that google or yahoo or whatever other email host does the same thing.
Such a statement, here of all places, really has to be; but maybe I've been awake for too long and, as a result my faith in general sanity has run too low for me to be totally sure you don't actually mean it...
Bravo at least for making me question myself before replying!
On the off chance you're being genuine.. Ye.. Wha.. Yo.. Er. Christ. I mean. Aww.. Er. Really? Er. head pat.. And I guess, err, sorry... Things are much, much worse than you imagine and we should all be paying more attention to where this is going.
Not gmail specifically. Insert any named service into that role as placeholder. Yahoo, hotmail, gandi.net.
That entity becomes The One Ring, when they control the monopoly, and can read everyone's mail.
I would have thought my euphemism was obvious, but gee, I guess not.
Maybe we'll get to cyberpunk distopia you describe later tho :}
That 'what if', btw, is actual reality these days if you replace 'corporation' with 'government'.
While any given provider might get huge, the distributed nature of this thing we made really means the only folks who can realistically obtain the sort of 'total' power which such a monopoly would create are the state actors; and they're already doing this. We all watch the news, right?
It seems like we're talking about different things, or maybe I'm just not really getting your point. The problems we have are not this theoretical push towards massively powerful orgs (which is a thing, sure) -- but the govts which are inside all of these guys.
Either way, we're too late to do much about it I guess.
I'll be over there with the tinfoil hat and no social media accounts :P
Alternately, there are advertising companies that do web page -> email retargeting by buying data from companies that have your email address and correlating it with cookies in your browser.
I don't use web clients to access email, so my question is, do web mail clients load remote content automatically?
I'm a little skeptical of that one.
Siri can understand what you say. I'm not saying the person was right, but is it really far fetched? IIRC gmail already targets ads based on your email content (ie conversations).
It seems most folks don't even see or care about where it's leading us.
Personally? It's almost ostracising to express strong opinions on this sort of thing even to our tech peers.
If you've also worked on tech which provides or enables this sort of invasion, then its hard for us not to really care about how we're doing nothing to stop it or to understand why we're not more angry.
Trying to get a dialogue going on it just makes people think you're a step away from being the crazy person with the tinfoil hat...