Introduction
We all want to track our emails for personal and professional reasons. With this we can check the delivery of an email to our friends and colleagues. This is not about read receipt, wherein user receiving email confirms the email delivery.
The method of tracking email is commonly used by companies that run email campaign for marketing product and services. Whenever email is delivered to the receiving person, email tracking events are generated which are same for different emails. These email tracking events are:
- Tracking email (if the email is opened or read)
- Tracking event (if the link is clicked)
- IP address of Recipient
How email is tracked
There are many online services available to track emails but the problem is that, most of them are paid & in free account they tend to add some advertisements which gives receiving person clue that someone is watching their emails. The best option is to setup your own server for this and use web beacon. Web beacon is a technique used to track visitors to a website or email by placing a 1 x 1 pixel image in the email or website to track the user visiting the website or opening an email.
This works by placing a HTML Tag in the email, which will trigger a web request to the server when the email is opened. In the HTML version of the email we will insert <img src> tag like this:
<img src="http://iicybersecurity-testing.com/img/securitynewspaper.png">
Once this is inserted in the email and opening email in the recipient email client will trigger email tracking events. A web request is send to the server from the recipient, in this case server is iicybersecurity-testing.com to access securitynewspaper.png file. As the we have already placed this file on the server, this small file of 1 x1 pixel is loaded in the client email client.
This file is so small and of same color as background that a normal user will not be able to find that someone is watching his/her events. Once this file is loaded we can see the web server logs of iicybersecurity-testing.com to find the IP address of client and fingerprint of client machine. For different email clients we will get different logs in the web server access logs. Lets check email tracking events for different email clients
Gmail Tracking
Opening email in gmail will produce these logs in web server access logs:
172.23.13.16 - - [25/June/2020:10:05:46 +0000] "GET /img/securitynewspaper.png HTTP/1.1" 200 150 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via http://ggpht.com GoogleImageProxy)" "64.233.173.156"
As gmail uses proxy to cache images we will only catch first two email tracking events.
- Tracking email (if the email is opened or read) = YES
- Tracking event (if the link is clicked) = YES
- IP address of Recipient = NO
IPhone Tracking
Opening email in iphone will produce these logs in web server access logs:
172.23.13.16 - - [25/June/2020:10:05:46 +0000] "GET /img/securitynewspaper.png HTTP/1.1" 200 150 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"
We will get these email tracking events:
- Tracking email (if the email is opened or read) = YES
- Tracking event (if the link is clicked) = YES
- IP address of Recipient = YES, public IP is 172.23.13.16
Outlook Tracking
Opening email in outlook will produce these logs in web server access logs:
172.23.13.16 - - [25/June/2020:10:05:46 +0000] "GET /img/securitynewspaper.png HTTP/1.1" 200 150 "-" "https://outlook.live.com/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
We will get these email tracking events:
- Tracking email (if the email is opened or read) = YES
- Tracking event (if the link is clicked) = YES
- IP address of Recipient = YES, public IP is 172.23.13.16
Yahoo Tracking
Opening email in yahoo will produce these logs in web server access logs:
172.23.13.16 - - [25/June/2020:10:05:46 +0000] "GET /img/securitynewspaper.png HTTP/1.1" 200 150 "-" "YahooMailProxy; https://help.yahoo.com/kb/yahoo-mail-proxy-SLN28749.html"
As yahoo uses proxy to cache images we will only get first two email tracking events.
- Tracking email (if the email is opened or read) = YES
- Tracking event (if the link is clicked) = YES
- IP address of Recipient = NO
Conclusion
You should always be cautious while opening email from unknown source. If you see something like this, always be cautious while clicking on Display below image
In this case it’s google, so it will proxy your IP. But in other email clients be cautious.
Cyber Security Specialist with 18+ years of industry experience . Worked on the projects with AT&T, Citrix, Google, Conexant, IPolicy Networks (Tech Mahindra) and HFCL. Constantly keeping world update on the happening in Cyber Security Area.