Use NoSpyMail to combat PattyMail

HP's Patricia DunnIn case you haven’t heard, “PattyMail” is the term coined to describe the sending of email with the intent of spying, the way that HP’s Patricia Dunn allegedly authorized this year. 

The idea is simple.  Say you have someone on your board who is sending confidential email to someone they aren’t supposed to, like a competitor or the press.  Simply add a small HTML image into your confidential e-mail.  Then, in theory, when someone reads the email, the email client will download that image, causing a “ping” to be sent back to your webserver to download the image.  You can then see which domains are fetching your images, and find your leaker.

“But that doesn’t work!” you say.  The answer is maybe.  It is true that most modern e-mail clients suppress HTML fetching by default.  BUT  – if the user clicks “show me the images”, then the images are shown.  So, when emails are coming from a trusted sender, like the chairman of the board, there is a reasonable chance you’ll want to see the graphics too, and open yourself to HTML spying.

“But that still doesn’t identify the leaker!”, you say.  But you are wrong; this is where the difference between HTML mail and “Spy Mail” comes in.  With HTML mail, you may have an image referenced in the email like:

    <img src=””>

In this case, you are right, if you forward this document to 10 people, and then one of them forwards to someone else, you won’t be able to tell which of them did it.  So why not encrypt special data in the image link to identify the leaker?  Instead of the link above, you might send a different email to each person, and the image links might instead look like:

    <img src=””>

This is SpyMail.  Now, when the sender checks their server logs, they’ll know exactly who the leaker is.  Evidently, this is what Patricia Dunn did.

It turns out that embedding information in email in a clandestine way is not too hard.  But generally, you don’t want the recipient to know they are being spied upon.  And this is where NoSpyMail comes in, because it can detect this.  When you read email with Outlook 2003, it won’t show HTML images.  But, if you tell it to, it will.  And if anyone is spying on you, they’ll get you!  NoSpyMail allows you to view those emails *without* getting spied upon.  How does it do this?  Well, it detects images which contain tracking information, and forcibly removes the tracker.  The image is skipped, but other images will still work.  This allows the reader to more safely read email. I wish I could say it were guaranteed 100% to work, but it is not.  But I do think it catches 95+% of the spymail.

Businesses also use this technique for less nefarious schemes.  For instance, if you sign up for newsletters from Costco, you’ll get HTML mail.  You probably want to see the images, because the sale items are all images.  But, as soon as you do, they’re tracking you, and they’ll know that contacting you by email works, and that you read it, where you read it form, what time you read it from, and whether you are a Windows or a Mac user.  Maybe you care, or maybe you don’t.  NoSpyMail offers a middle ground; you can read the newsletter, but not have to tell Costco that you did.

Anyway, NoSpyMail is normally free.  But, if you are a member of the HP board, and you need some protection, let me know.  Pricing starts at $10,000 per copy.  Probably a good investment for you!

NoSpyMail Revisited

It’s been a couple of years now since I wrote NoSpyMail, and I haven’t really done much with it. Each month I get a few nice emails from users that are using it – and I’m always pleasantly surprised to hear that they still like it. It’s a simple little utility, probably written more out of anger than anything else.

But today I got a friendly email from a guy that is upgrading to Vista, and he reported that it wouldn’t install for him. OK – so I fixed that (I think!) for him. But I asked why he used it when he’s using Outlook 2003. After all, Outlook 2003 already has html image filtering built in.

His answer was that he still needs it. Even though we may filter out *most* of those HTML emails, how many do we still click on because they are from our “legitimate” places, e.g. costco, fandango, ticketmaster, etc. These are emails that we want to receive, but even these “legitimate” mass-email-senders are using trackers to spy on who’s clicking.

He’s got a valid point. He also thinks he gets a lot less spam as a result of using NoSpyMail. Hard to say, but I hope he’s right.

So, after having not used NoSpyMail myself for quite a while, I brought it back into my software lineup. Works great (it ought to – I wrote it! :-), and really doesn’t tax you in any way except that it filters out nasty HTML trackers. I was a little annoyed by the default settings because you get notified *so much* about the spymail. So I quickly unchecked the box to “Notify me when Spymail is discovered” (available via the Options). I don’t need to be notified – just clean it up and let me read my mail safely.

Sorry for the blatant plug.

How much spy mail do you get? Who from?

I’ve been running my no-spy-mail utility for a little over a week now. Its definitely been an interesting experience.

First, a little about my email. My test mailbox is mostly spam – probably 98% spam. Its unfiltered in any way. Since running nospymail, I’ve trapped 313 spymail emails! Holy cow!

Whats going on is that its trapping all the spammer sites that use http images to track their advertising campaigns. Probably the reason I get so much spam is the very fact I haven’t been running nospymail or antispam products. Most of the mail I don’t open, of course. But, each time I accidentally do, or leave the cursor in the wrong spot to open a message, BOOM – the spammer gets a nice little note saying that mike @ received and read advertising campaign #38273. His IP address is W.X.Y.Z, he read the email from somewhere in Santa Clara county, and his browser is Internet Explorer 6.0. Thats more info than I care to give those guys. I’m glad its working.

The spammer sites are also just flooding out email. There is one site, sending me mortgage stuff, which sends me about 5-6 spymail messages PER HOUR. Their site is Just a spam company.

Anyway, mildly interesting. I’ve passed NoSpyMail to a couple of friends now. At first they were like, “yeah yeah, spy mail. spy ware. viruses. spam… yuk.” But, once you get your first notification that someone is spying on you, you get *really* curious.


My previous posting got me curious enough that I decided to write a program to detect SpyMail in my own email. Not surprisingly, I get a lot. Most of it comes from spammers. But, I have seen a few from msgtag and didtheyreadit, too. Those two have been used in sending email to customer support for some other products I work on, presumably to figure out if customer support actually reads the email. (Which we do, of course!)

So, if you want to try it out – I put it up for free download. It works within Outlook, and requires .NET. It installs as a passive watcher of your email. If it sees SpyMail, it lets you know about it, keeps a hsitory of the spymail, and neutralizes the spy-threat.

Of course, it probably can’t detect everything, but I’ve already found over 20 spymails that were in my mailbox…. Frightening.

Here is where you can get NoSpyMail

Ick. Spymail.

Dan Gilmore wrote last month about a troubling issue where seemlingly legitimate companies are now participating in making more SpyMail. SpyMail isn’t new. Its been used by spammers for a long while. But now some otherwise seemlingly legitimate companies are trying to make businesses out of it….

What is SpyMail? SpyMail is the attempt by hackers, spammers, or unscrupulous people to learn more about your mail reading habits. Some companies claim that there is a legitimate use – so that the sender can know if you read the email or not. But, if its legitimate, why is it covert? Why not use the Read-Receipts feature that the receiver can see explicitly. There is no doubt in my mind that these products are clearly out to do harm. When something is veiled in secrecy, its almost always for illegitimate purposes.

What kinds of information can people collect using SpyMail? Quite a lot, actually. Turns out you can easily get:
– Knowledge of if the recipient read the email or not
– When the recipient read the email
– If the recipient forwarded the email to someone else and to whom
– The operating system of the recipient
– Version information about the recipient’s computer
– The IP address of the recipient
– The location of the recipient (tracked loosely by IP location finding)
– More.

Wow. Thats pretty dangerous. Since I write plugins for Outlook, I just may write a plugin to kill these SpyMail guys.

Outlook 2003 already has a feature to protect you from SpyMail. By default, it doesn’t load HTML images for this very purpose. You have to manually download the images you want. Its a little cumbersome, but at least it works.

Oh yeah – who are the spymailers? Here are the villains that offer these services in the name of “features”. The fact that they would dare build this indicates that they are unscrupulous, greedy, ignorant and shameless. Get the idea? (a little better because the recipient can see that the message is tagged, but the recipient still doesn’t get a chance to block it before its too late)
Read more