Wednesday, January 28, 2009

How spammers know email id is legit: Embedded images

I never anticipated this, I am embarrassed not to have seen through it.

Spam, if you open them, inspite of them going to your spam folder, sometimes contain embedded images. Gmail blocks these and instead has a link 'Display images from...'. But I never realised that out of curiosity, whenever I viewed those images, I was telling spammers to spam me more.

Turns out, when the image(which is stored on his server) is viewed, it flags my email address - saying I open spam email and will do so in the future. Moreover, since the time the image is accessed - since it is from an external server - will show not only that you opened the email but also when you opened the email.

This is also why I have recieved newsletters and promos with a few images here and there - they are validating the emails on their list, giving them valuable information as to what time of the day their emails are being read, and also the IP addresses of their readers - giving them a geographical distribution.

Such a simple 'hack' has a lot of potential uses. You can send an email with an embedded image - and using the imgae logs you can show the person opened the email with an intention to read it, as this post shows. I was searching for stuff related to Google talk and this post caught my attention. As he also mentions, it delivers your IP address... So you can potentially know where your friend who has gone into hiding is reading his emails from(or which end proxy he is using). Or if the email is being misused by someone else. Of course, this is with the assumption that he choses to display the images in Gmail or is using some other mail provider automatically showing embedded images.

I am considering not allowing images on the one or two useless newsletters I get and never opening spam again.

No comments: