Feeds:
Posts
Comments

Archive for February 24th, 2014

the magic puddingThere was considerable controversy in the comment thread of “Something in the Milk”  about whether emails could be tracked as my correspondent described, and how such a thing would work.  So on the evening of Valentine’s Day, she and I decided to test it out:  she sent me an email, I forwarded it to others and she told me what we had done.  The results convinced me, and I think they’ll convince you as well.  The tracking utility is called Readnotify, and though it isn’t free the cost is small.  Normally there is a notification in the email that shows it’s being tracked, but in “silent” mode this information is hidden from recipients.  Note that all ISPs and the names of local towns have been disguised to protect privacy. 

This email was initially opened on IP 40.8.23.254:12345; the device it was opened on has specific software specifications, listed under “Browser”.  This shows the brand and version of the browser agent that was used when opening my email; these specifications are unique to each machine as updates are not always installed.  I can see that this user is showing MSOffice in the browser info, so this user receives email via Outlook more than likely.

Opened
Opened 3-Feb-14 at 23:58:55pm (UTC -5:00)   –   59mins46secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:12345)
Browser used by recipient: Moz/4.0 (MSIE 7.0; WinNT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)

This information by itself is meaningless; you can’t determine a user, a physical location, or anything else other than the IP information and the browser info.  But what this information can provide is a “dog tag” for a device; as you compare it to other email tracking data that you receive, you can begin to notice whether any single “dog tag” appears in the circulation of any other emails that you are tracking.  Now Reader 1 reopens the mail; only the end of the IP is different, you will see that change with reopens.

Re-Opened
Opened 4-Feb-14 at 00:20:32am (UTC -5:00)   –   1hour21mins23secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:67890)
Browser used by recipient: Moz/4.0 (MSIE 7.0; WinNT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Last log No more activity after 4-Feb-14 at 00:21:12am (UTC -5:00)   –   Log data indicates email was read for at least 40secs (approx.)

Now for Reader 2:

Forwarded/opened on different computer
Opened 4-Feb-14 at 00:21:24am (UTC -5:00)   –   1hour22mins15secs after sending
Location Redmond, Washington, United States (86% likelihood)
Opened on  (22.56.123.91:12345)
Language of recipient’s PC: en-ca (English/Canada), en (English), en (English)
Browser used by recipient: Moz/5.0 (WinNT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Last log No more activity after 4-Feb-14 at 00:22:52am (UTC -5:00)   –   Log data indicates email was read for at least 1min28secs (approx.)

This recipient is using a Canadian English setting and running Firefox version 26.  I am doubtful as to location as Redmond comes up often and seems to be the location of an ISP.  Mountain View, California, where Google proxy servers are located, also comes up often.  Though I am not mentioning all of them, each individual identifier in the report will match when a “dog tag” reappears.

Moving on to Reader 3:

Forwarded/opened on different computer
Opened 4-Feb-14 at 00:24:40am (UTC -5:00)   –   1hour25mins31secs after sending
Location Bacontown, Nova Scotia, Canada (86% likelihood)
Opened on  (407.81.23.715:56789)
Language of recipient’s PC: en-US (English/United States), en;q=0.5 (English)
Browser used by recipient: Moz/5.0 (WinNT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Accepts Files browser can open: i/png,i/*;q=0.8,*/*;q=0.5

This one appears to be in Bacontown, Nova Scotia, and the ISP is Eastlink Ca, running Firefox version 26.  Wait, it appears that Reader 2 has opened my email again from the same device.

Re-opened (by earlier reader #2)
Opened 4-Feb-14 at 00:24:49am (UTC -5:00)   –   1hour25mins40secs after sending
Location Redmond, Washington, United States (86% likelihood)
Opened on  (22.56.123.91:24680)
Language of recipient’s PC: en-ca (English/Canada), en (English), en (English)
Browser used by recipient: Moz/5.0 (WinNT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0

Now the original reader is taking a third look:

Re-opened (by earlier reader #1)
Opened 4-Feb-14 at 00:59:25am (UTC -5:00)   –   2hours16secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:54321)
Browser used by recipient: Moz/4.0 (MSIE 7.0; WinNT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)
Last log No more activity after 4-Feb-14 at 01:00:09am (UTC -5:00)   –   Log data indicates email was read for at least 44secs (approx.)

Now we arrive at a 4th device that appears to be a mobile phone.  I say that because it is showing a Google proxy; this is a new way Google is protecting phones from malware by opening images on a proxy for view.  That proxy shows up as Mountain View, California.  In this case we are viewing Google proxy info, and that “dog tag” will match any other proxy lookup so it is pretty useless for significant matching.

Forwarded/opened on different computer
Opened 4-Feb-14 at 01:00:36am (UTC -5:00)   –   2hours1min27secs after sending
Location Mountain View, California, United States (86% likelihood)
Opened on  google-proxy-11-234-56-78.google.com (11.234.56.78:98765)
Browser used by recipient: Moz/5.0 (Win; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com GoogleImageProxy)
Last log No more activity after 4-Feb-14 at 01:01:49am (UTC -5:00)   –   Log data indicates email was read for at least 1min13secs (approx.)

Reader 5:

Forwarded/opened on different computer
Opened 4-Feb-14 at 01:11:13am (UTC -5:00)   –   2hours12mins4secs after sending
Location Beachville, California, United States (86% likelihood)
Opened on  (66.111.77.88:09876)
Language of recipient’s PC: en-us (English/United States)
Browser used by recipient: Moz/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B554a

Looks like an iPad running a mobile version of something opened it.

Reader 6

Forwarded/opened on different computer
Opened 4-Feb-14 at 01:11:23am (UTC -5:00)   –   2hours12mins14secs after sending
Location Beachville, California, United States (86% likelihood)
Opened on  (66.111.77.88:09877)
Language of recipient’s PC: en-us (English/United States)
Browser used by recipient: Moz/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko)
Last log No more activity after 4-Feb-14 at 01:11:39am (UTC -5:00)   –   Log data indicates email was read for at least 16secs (approx.)

OLYMPUS DIGITAL CAMERA

Interesting.  Only the last digit of the IP is different.  It is also an iPad running the same versions except for the mobile part.  I am guessing it is either a second device on a home network, or a non-mobile email agent causing a difference in the reverse name resolution.  Now Device 5 appears again showing the mobile version and another slight difference in the reverse name resolution.

Re-opened (by earlier reader #5)
Opened 4-Feb-14 at 01:12:53am (UTC -5:00)   –   2hours13mins44secs after sending
Location Beachville, California, United States (86% likelihood)
Opened on  (66.111.77.88:09885)
Language of recipient’s PC: en-us (English/United States)
Browser used by recipient: Moz/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B554

Now Reader 7:

Forwarded/opened on different computer
Opened 4-Feb-14 at 01:14:26am (UTC -5:00)   –   2hours15mins17secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:87654)
Language of recipient’s PC: en-US (English/United States), en;q=0.5 (English)
Browser used by recipient: Moz/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
Accepts Files browser can open: i/png,i/*;q=0.8,*/*;q=0.5
Last log No more activity after 4-Feb-14 at 01:16:47am (UTC -5:00)   –   Log data indicates email was read for at least 2mins21secs (approx.)

Reader 7 is on the same network as reader 1.  It is a different device though, operating Linux i686 Thunderbird/24.3.0  I would guess this is a second device on either a home or office networked computer.  Next Reader 5 opens it on the iPad again using the mobile version.

Re-opened (by earlier reader #5)
Opened 4-Feb-14 at 01:17:44am (UTC -5:00)   –   2hours18mins35secs after sending
Location Beachville, California, United States (86% likelihood)
Opened on  (66.111.77.88:11223)
Language of recipient’s PC: en-us (English/United States)
Browser used by recipient: Moz/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B554a

Now Reader 7 opens it again on the same device:

Re-opened (by earlier reader #7)
Opened 4-Feb-14 at 10:39:06am (UTC -5:00)   –   11hours39mins57secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:12548)
Language of recipient’s PC: en-US (English/United States), en;q=0.5 (English)
Browser used by recipient: Moz/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
Accepts Files browser can open: i/png,i/*;q=0.8,*/*;q=0.5
Last log No more activity after 4-Feb-14 at 10:57:31am (UTC -5:00)   –   Log data indicates email was open for at least 18mins25secs (approx.)

Then Reader 7 decided to get a little tricky, and though they used the same device, they opened it on a different browser.  Not Linux, they went with  Moz4.0 with an MS Office tag indicating it was opened thru Outlook perhaps.

Opened 4-Feb-14 at 11:49:57am (UTC -5:00)   –   12hours50mins48secs after sending
Location Middle, Nowhere, United States (86% likelihood)
Opened on  (40.8.23.254:31285)
Browser used by recipient: Moz/4.0 (MSIE 7.0; WinNT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)

Finally, the activity with this email concludes with one final open on the iPad in Beachville, California, mobile version:

Re-opened (by earlier reader #5)
Opened 4-Feb-14 at 21:07:02pm (UTC -5:00)   –   22hours7mins53secs after sending
Location Beachville, California, United States (86% likelihood)
Opened on  (66.111.77.88:11705)
Language of recipient’s PC: en-us (English/United States)
Browser used by recipient: Moz/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/11B554a

Ending Summary

Summary   –   as at 5-Feb-14 at 16:29:00pm (UTC -5:00)   –   1day17hours29mins51secs after sending
Total  Opened 15 times by 7 readers
Reader #1  Opened 4 times for 1min24secs total
Reader #2  Opened 2 times for 1min28secs total
Reader #3  Opened 1 time
Reader #4  Opened 1 time for 1min13secs total
Reader #5  Opened 4 times
Reader #6  Opened 1 time for 16secs total
Reader #7  Opened 2 times for 20mins46secs total

Now, if this were a client interaction I would have concerns. Why would our interactions be shared so many times? And with whom were they shared?  I would then begin to scan other email reports to see if any dog tags from this individual match any dog tags from any unrelated (or supposedly unrelated) emails match these. By comparing dog tags, you can identify when a network of devices are constantly sending you emails then circulating your replies through the network.  In comparison, most email tracking reports say opened 1 time by 1 reader, or 2 times by 2 readers (two devices).  Even 15 times is ridiculously high, as we see in this test but take a look at a recent summary of the activity on the email that I wrote about in “Something in the Milk”:

Summary   –   as at 5-Feb-14 at 16:36:41pm (UTC -5:00)   –   22days19hours12mins46secs after sending
Total  Opened 134 times by 4 readers
Reader #1  Opened 124 times for 28mins8secs total
Reader #2  Opened 7 times for 22mins23secs total
Reader #3  Opened 2 times for 15mins3secs total
Reader #4  Opened 1 time

The last entry on the log shows my email still being opened more than 20 days later; the dog tags on his report match dog tags on four other contacts all claiming to be in different parts of Florida and one in New Orleans.  Why would this P411 member be forwarding my emails to a network of individuals centered in Orlando who are all responding to my Eros ad?

Her tracking and conclusions were spot on.  I opened the email, then asked Aspasia and Kevin Wilson if they’d help; when they agreed I re-opened it and forwarded it to them (Middle, Nowhere is where my DSL service originates from).  Soon afterward my husband returned my call and agreed to participate; he’s working in California right now and did open the mail on two devices in three ways, then forwarded it to a different email address of his and opened that one.  Meanwhile, Grace was opening it as well, and when I read this report to her she laughed and said that she had indeed tried to trick the software as described. rice pudding

Read Full Post »