Wednesday, October 04, 2006

A peek inside ReadNotify

Recently the service ReadNotify has been in the news as it was used to track emails and documents sent during the recent HP spying scandal. I'd heard of ReadNotify before but never played with it, but since they offer free accounts I signed up and sent myself some emails. Here's what I found inside those messages.

Using ReadNotify couldn't be simpler. Once you've registered your From address with the service you can send email through it by appending .readnotify.com to the email of the person you are writing to. For example, to send a tracked email to me ([email protected]) you'd send it to [email protected]. ReadNotify will add their tracking features to the message and forward it to the real recipient.

To test the service I sent the following email to a email address on Hotmail. The email was sent from my regular email address via ReadNotify. The email was composed in Mozilla Thunderbird which I have configured to send only plain text email. (Throughout this blog post I have obscured details in the messages by replacing private information with XXX or 123).

Original message:

Date: Tue, 03 Oct 2006 13:20:03 +0200
From: John Graham-Cumming <[email protected]>
Reply-To: [email protected]
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040208
Thunderbird/0.5 Mnenhy/0.6.0.104
MIME-Version: 1.0
To: [email protected]
Subject: A test of this email tracking service to a hotmail account
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I'd like to see how this works.

John.

What Hotmail received:

Received: from esmtp.emsvr.com ([208.185.251.19]) by
bay0-mc3-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 3 Oct 2006 04:21:24 -0700
Received: from esmtp.emsvr.com (localhost.localdomain [127.0.0.1])
by esmtp.emsvr.com (8.13.6/8.12.11) with ESMTP id k93BKLB1030009
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <[email protected]>; Tue, 3 Oct 2006 11:20:22 GMT
Received: (from [email protected])
by esmtp.emsvr.com (8.13.6/8.12.11/Submit) id k93BKLoY030003
for [email protected]; Tue, 3 Oct 2006 11:20:21 GMT
Resent-Date: Tue, 3 Oct 2006 11:20:21 GMT
Resent-Message-Id: <[email protected]>
Resent-From: [email protected]
Received: from [66.249.92.168] by emsvr.com [208.185.251.19]
for <[email protected]>
on-behalf-of [email protected]; Tue Oct 3 11:20:19 2006
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168])
by esmtp (8.13.6/8.12.11) with ESMTP id k93BKDi8029929
for <[email protected]>; Tue, 3 Oct 2006 11:20:14 GMT
Received: by ug-out-1314.google.com with SMTP id t30so548551ugc
for <[email protected]>; Tue, 03 Oct 2006 04:20:07 -0700 (PDT)
Received: by 10.67.121.15 with SMTP id y15mr3639480ugm;
Tue, 03 Oct 2006 04:20:07 -0700 (PDT)
Received: from ?192.168.1.2? ( [10.254.8.232])
by mx.gmail.com with ESMTP id e33sm6037799ugd.2006.10.03.04.20.05;
Tue, 03 Oct 2006 04:20:06 -0700 (PDT)
Message-ID: <[email protected]>
Date: Tue, 03 Oct 2006 13:20:03 +0200
From: John Graham-Cumming <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Usr-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040208
Thunderbird/0.5 Mnenhy/0.6.0.104
To: [email protected]
Subject: A test of this email tracking service to a hotmail account
Sender: John Graham-Cumming <[email protected]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Disposition-Notification-To: "them"
<[email protected]>
X-Confirm-Reading-To: [email protected]
Return-Receipt-To: [email protected]
Notice-Requested-Upon-Delivery-To: [email protected]
Errors-To: [email protected]
X-Read-Notification: Courtesy of ReadNotify.com -
http://www.r7vkv5yav10gu1.ReadNotify.com
Return-Path: [email protected]
X-OriginalArrivalTime: 03 Oct 2006 11:21:24.0793 (UTC)
FILETIME=[0FBED290:01C6E6DE]

<HTML><HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</HEAD><BODY><DIV></DIV><DIV>I'd like to see
how this works.
</DIV><DIV>
</DIV><DIV>John.
</DIV>
<div alt="r7vkv5yav10gu1."><pre> </pre><pre>
<br><Img moz-do-not-send="true" border=0 height=1 width=3 alt=""
lowsrc=""
Src=http://www.r7vkv5yav10gu8.ReadNotify.com/nocache/r7vkv5yav10gu9/footer0.gif>
<Img moz-do-not-send="true" Border=0 Height=1 Width=2 Alt=""
Lowsrc=http://www.readnotify.com/ca/rspr47.gif ><BgSound volume=-10000
Alt='' Lowsrc=""
Src=https://tssls.r7vkv5yav10guv.ReadNotify.com/nocache/r7vkv5yav10guv/rspr47.wav>
</pre><table height=1 width=3 border=0><tr><td
background
=http://0320.185.64275/nocache/r7vkv5yav10guP/rspr47.gif> </td>
</tr></table>
<BODY bgColor="#ffffff;background-image:
url(http://www.r7vkv5yav10gum.ReadNotify.com/lis/r7vkv5yav10guq/rspr74.gif)" bgColor="#FFFFFF">
</div><div><title> A test of this email tracking service to
a hotmail account </title>
<title>&rlm;‏‌‌‎‎‍‍‏‎‏‎

[snipped 10s of lines like this]

&rlm;‎‌‌‎‎‏‏‌‎‏‎‎
<title> A test of this email tracking service to a hotmail account
</title>
</div alt="r7vkv5yav10gu1."></BODY></HTML>

Not only has my little plain text email become an HTML mail but there's a whole lot of additional stuff in the message that enables ReadNotify to track my receipt and opening of the message.
  1. The message headers contain no less than six different requests that receipt of the message be reported back to ReadNotify. Specifically, it contains the header Disposition-Notification-To, X-Confirm-Reading-To, Return-Receipt-To, Notice-Requested-Upon-Delivery-To, Errors-To and X-Read-Notification. All of these go to the address [email protected] where the [email protected] is my obscured email address and the ddntqqiabybpiic is a unique string generated for just this message.

  2. That seem unique address also appears in the Return-Path and Resent-From header. All these headers mean that ReadNotify can watch the progress of my message as it passes from server to server just because the servers will be checking information from these headers thus acting as a beacon showing which IP addresses looked at the message.

  3. The message body contains four separate web bugs using a standard image, a background sound, a background image on a table and a background image on the body using CSS.

    The background image is <img send="true" alt="" lowsrc="" src="http://www.r7vkv5yav10gu8.ReadNotify.com/" border="0" height="1" width="3" /> where the r7vkv5yav10gu8 is unique to this message.

    The background sound is <bgsound volume="-10000" alt="''" lowsrc="" src="%20https://tssls.r7vkv5yav10guv.ReadNotify.com/ nocache/r7vkv5yav10guv/rspr47.wav">. Notice the volume being set to -10000 so that there's no sound at all and the same unique string in the path to get the sound.

    The table contains a <td> tag with a background image using the same unique string: <td background= http://0320.185.64275/nocache/r7vkv5yav10guP/rspr47.gif>

    Finally, the same unique string appears in the <body> tag using CSS <BODY bgColor="#ffffff;background-image:url(http://www.r7vkv5yav10gum. ReadNotify.com/lis/r7vkv5yav10guq/rspr74.gif)" bgColor="#FFFFFF">

  4. Finally, there's that large block of stuff at the end written using HTML entities. In fact it consists of preciesly four different invisible HTML entities repeated over and over again: &rlm; (right-to-left-mark), &rlm; (left-to-right-mark), &zwnj; (zero-width non-joiner) and &zwj; (zero-width joiner). There's clearly a pattern there, but I'm not sure of its purpose, perhaps it's yet another unique identifier on the message.
It's also possible to send the message via .silent.readnotify.com. I tried that too, with the same message. The only differences are that the return receipt headers are missing (which means that the person receiving the message will not be notified by their mail client of a return receipt) and that the entire message had been base 64 encoded (I wonder why? I assume ReadNotify is trying to hide something from either a mail server or mail client). Unencoding the message revealed that it contained essentially the same HTML as above with a different unique string (since this was a different message).

Going over to the ReadNotify UI shows the two message that I sent and when they were last opened.



Clicking on one of the messages gives details of when and where the message was opened. The physical location was absolutely correct.



The company can also track attachments such as Microsoft Word documents and PDF files with similar accuracy.

Labels:

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.

<$BlogCommentBody$>

<$BlogCommentDateTime$> <$BlogCommentDeleteIcon$>

Post a Comment

Links to this post:

<$BlogBacklinkControl$> <$BlogBacklinkTitle$> <$BlogBacklinkDeleteIcon$>
<$BlogBacklinkSnippet$>
Create a Link

<< Home