http://www.forbes.com/sites/katevinton/2015/07/28/50-of-your-emails-are-tracked-and-trackbuster-want-to-stop-it/ https://trackbuster.com/about-us
This is good news. But any content in messages that's pulled from remote sources can serve as a tracker. To be sure, use a local mail client, and disable HTML rendering. Just read text. If that's HTML code, so be it
Which content besides pictures (one-pixel and similar) can be used to track users? Downloading pictures from external sources can be disabled in Gmail settings... The same can be set in most email clients also.
Basically, anything that would involve communications with hosts, URLs, email addresses, etc that can be specified by the email sender or an intermediary. HTML element attributes and CSS properties that take a URL, for example. Thus the recommendations to treat email messages as plain text. Note, however, that most email clients/interfaces make an exception for hyperlinks and allow those to be clicked on. Since such a click can (and frequently WILL) expose you to tracking, you will have to independently assess links and what will happen if you click on them. Return receipts, email confirmations, whatever your email client/interface may call them: make sure these are not supported or at least disabled. Then there is the general case of emails and their contents being exposed to third parties. Commercial firms, such as email providers, CRM firms, and various other types of cloud and as-a-service firms. Plus government agencies too, obviously. There are many pieces of info within emails that can be used for tracking/profiling, so minimizing exposure of emails to third parties is paramount. Many of these exposures would occur during the origination/transmission phase and before the email even hits your email server let alone email client. In which case, I think protection would largely boil down to making the sender change their behavior or ceasing all relationships with the sender.
Thanks, I was more interested in witch HTML elements are automatically downloaded from external sources when opening HTML without user input - click on links and similar. From article: I don't think that this is entirely correct. I believe that email has to be delivered to inbox before it can be "cleaned" by their service and not the other way around. I don't know how they could intercept email between a sender and your inbox. In this case Google indexing email can index those links and by this downloading or checking external content. By this it would trigger tracking but tracker would get false data about user.
This is ridiculous. So what? The "cure" for this "concern"? Hand all of your e-mail contents (and access to your e-mail account) over to some company:
I understand. If I had compiled such a list, or knew of where you could find one, I would have included it. FWIW, a few searches turned up these: https://github.com/cure53/HTTPLeaks https://stackoverflow.com/questions...of-html-tag-attributes-which-have-a-url-value http://www.pageresource.com/dhtml/cssprops.htm Of course, after identifying all of the ways it might happen in a BROWSER context, you'd want to determine which of those ways would work for whichever EMAIL client/interface you are interested in.
I agree. Moreover a service such as Trackbuster has access to all incoming emails and this means confidence or not in the company. Neither skeptical neither confident : I just don't know and, therefor, why would I choose to be confident. Reading email (first) in text format with a local email client remains the best choice, IMO.
I didn't think about this, but the idea itself is interesting. Perhaps it should be offered by mail providers themselves, that would make more sense.
Especially when the email provider already reads your email, while it's at it for commercial purposes adding an anti-tracking feature for the user's sake would be just fine. GMail : we do have a look at your email but it's also for your security would sound nice
Your email provider would already have access to the email, so theoretically they could do it without creating any additional party exposures. However, commercial companies are notorious for their use of third party processors/providers. It has become riskier to assume that an email provider isn't sharing email [metadata] with some external firm offering an anti-spam, anti-malware, cloud backup, and/or other type of service. By extension, it would be risky to assume that this type of service would be operated in house. You'd want to investigate such things. The URLs that are used for tracking/bugging email views, link clicking, etc usually contain a unique identifier that is linkable to other information. Such as an account you have with a commercial company that sent the email. Sometimes, there is other sensitive information embedded within the URLs. These are arguably some of the worst URLs to expose to other parties (including email providers, especially if they are known for datamining). FWIW, it is possible to identify tracking bugs, use of third-party relays and/or links, etc on the client device. Possibly even in webmail contexts as well, where a browser addon and/or API could be leveraged. Some would settle for the ability to post-process locally archived email, which is even easier. If it sounds interesting to someone, they should search around and see if they can find something that already exists. Many many scripts and tools have been created to analyze email for evidence of spam. That, too, involves identifying servers/parties involved in the email delivery and identifying URLs within the message. So if you can't find an existing solution that does everything you want, and you have programming experience, you might be able to extend something that is available. While reviewing an email client I was reminded that some clients support mapping the location of email senders based on attached vCard, mapping people in your address book based on location fields, stuff like that. I'm not sure if there are any scenarios where an incoming email could automatically trigger a remote lookup, but I thought I'd mention this.
Part of why I like Fastmail so much. By default, opening an email won't lead to any tracking. Fastmail blocks third party scripts, and by default requires you to click "View as HTML" and then "Load Images" before loading content from emails. Since I prefer webmail over a dedicated email program, my emails are subject to uBlock and MBAE as well. Personally don't find it a hassle. With the email aliases where you can setup alternative addresses - the risk of phishing is drastically reduced because for example all my finances go to a particular address.
Ah, now that you mention it... something like uBlock would seem to be helpful in a webmail context. Assuming the user is blocking third-party requests while viewing the email on the webmail host's domain, and the webmail host isn't prefetching for some reason. I wanted to look at known IP addresses and host/domain names associated with an email marketing/CRM firm, and chose to search for ExactTarget at https://www.senderbase.org/. Here are some domains (hostname suffixes) that caught my eye: accountonline.com americanexpress.com anthem.com bankofamerica.com capitaloneemail.com discover.com e-vanguard.com email-alliancehealth.com farmers.com fidelity.com geico.com intuit.com lendingclub.com medscape.com merrilledge.com progressive.com searscard.com unitedhealthcare-hmhb.com webmd.com webmdhealth.com webmdprofessional.com zillow.com If people saw a mailserver and/or URL hostname under one of those domains, most would probably allow it based on the assumption that it is owned/operated by the well-known company they are doing business with. In general, that is even more likely if the situation involves a financial, insurance, health, or other type of company that would be expected to protect communications as best as possible. Rather than make assumptions, one should investigate the hostname and try to determine who really does own/operate the machine(s) behind it. That way, they'll make more informed decisions about allowing or blocking things. FWIW, I think ExactTarget is one of the outfits that doesn't use encryption when sending email (STARTTLS). It would be good if people investigate the encryption status of their email as well. Edit: I attempted to clarify language, and wanted to mention the following. In addition to inspecting server logs or Received lines for encryption info, another source of information would be https://www.google.com/transparencyreport/saferemail/data/. I wish it included fraction encrypted for individual email servers, but it is something.