Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Internet Bug Businesses Privacy Spam

Web Bugs the New Norm For Businesses? 108

An anonymous reader writes "What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers' email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?"
This discussion has been archived. No new comments can be posted.

Web Bugs the New Norm For Businesses?

Comments Filter:
  • How long before this is used for nefarious purposes?"


    • Re: (Score:3, Insightful)

      by KublaiKhan ( 522918 )
      How long has it been -since- they started using this for nefarious purposes, you mean.
      • Re: (Score:1, Flamebait)

        by beakerMeep ( 716990 )

        Agreed. This isn't the kind of article that belongs on Slashdot. Email tracking has been going on probably almost 10 years.
        The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

        • 1x1 pixel images are more likely to fix really lousy email rendering by wildly different clients. ANY image in an email can be used for tracking.

        • The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

          Ummm... "web bug" is the actual term for them.


          I would've thought someone ranting about technical incompetence would've known that.

          • The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

            Ummm... "web bug" is the actual term for them.


            I would've thought someone ranting about technical incompetence would've known that.

            shoot, you beat me to it!

            I was thinking the same thing! It's always humorous to read someone rant like that, and demonstrate their own ignorance!

            Then again, maybe we fell for a troll!

          • You're sarcasm aside, that term seems to me to be a mis-representation by laymen and marketing folk; just like "beacon" and all the others. Look at one of the image tags for the article -- Soulskill mis-tagged it with the bug picture. The reality is, it's a tracking pixel.

            Still, you're right, mea culpa. I didn't know that term, even having worked in online advertising and publishing for many years. But it's hard to know all the names marketing folk come up with.

            However, I don't think this changes the fact

        • I assume that almost everyone who sends commercial email does this. It's not really news, and I don't think it's a big deal. Almost every email program (even Outlook) has an option to not download images--if you don't want to confirm that you've received the email, don't download images.

          Also, as an occasional sender of commercial email just because the image has been downloaded doesn't mean it's been read. Just means the images have been downloaded.

          This is why if you are sending out commercial email, mak

          • by igb ( 28052 )
            Unfortunately, the reason why you might want to not load images isn't stated in the preferences pane in question, so users at large probably don't realise that images are here being used for another purpose.
            • by klubar ( 591384 )

              I think, at least with Outlook, the default is to not load images and the warning message is reasonably clear. Also, knowing that you received a message doesn't seem like that big of a deal. If you're concerned about confirming your email address (which is all the web beacons do) use a throw away address or turn off downloads

        • by yuhong ( 1378501 )

          Yea, which is why most email clients has an option to not load images by default for years now.

        • The fact that this guy discovered 1x1 pixels in email and mis-attributes them to "bugs", is so technically incompetent I would think I am reading the technology section of AOL.

          It certainly is something to discuss here, but the suggestion that it is a "New Norm" is absurd.

          What makes you think the guy was wrong?? They've admitted to using them. What other 1x1 graphics do you expect? A period would typically take four, not that it makes much sense to use a graphic for a period.
          What possible legitimate use a

        • he was refering to bug as in a bugged telephone not faulty software

      • How long has it been -since- they started using this for nefarious purposes, you mean.

        Whatever goes around, comes around.

    • I'm going to guess negative 1 or 2 years.

    • I thought the point of the story was that legitimate businesses are now commonly using a technique that was originally used exclusively for nefarious purposes. So I would say... two or three sentences ago?

      Honestly, is there a script that tacks "Could this be used for nefarious purposes?" on the end of every entry or something?
    • The first time I wrote a program to do this was about 1996 or so. It worked better than reply receipts for some customers. It's been around since Outlook/Outlook Express/Eudora first started supporting HTML formatted e-mail.

      Our "nefarious purpose" was (at the time) supporting a paid subscription e-mail publication, and then the marketing people got wind of it...

      So, if you consider marketing and their desire for another useless statistic nefarious -- define it as you wish..

  • Use Thunderbird (Score:4, Interesting)

    by Compaqt ( 1758360 ) on Friday December 03, 2010 @03:19PM (#34435374) Homepage

    It doens't load web bugs until you tell it to. does the same.

    • Outlook skips loading them by default as well if you are even close to current.

    • by smartr ( 1035324 )
      This is hardly a bug. If you load anything from a remote server, as long as they put a randomly generated id tying it to the sent email, it can be used to track. A server gets the request, marks the email as read, then returns a standard image... On the other hand, there's no reason an email server couldn't get tricky and pre-load every image it gets, then pipe it as an attachment to the user on a request.
      • As a programmer, the first thing I think of when I hear "bug" when related to computers is a flaw or defect... but I think in this case they mean a more traditional bug, like when you say someone's phone is "bugged." A tracking or listening device.

        I've even heard some users refer to viruses/malware as "bugs" (like having a flu "bug")... confuses the hell right out of me as a programmer until I realize what they really meant.

    • The popular MailScanner [] spam/virus filter removes 1x1 Web bugs by default so there are quite a few mail servers out there that will neutralise this issue.
    • by Timmmm ( 636430 )

      It doens't load web bugs until you tell it to.

      That's a standard feature on every mail client I've used for at least the past 5 years.

  • by hackersass ( 785308 ) on Friday December 03, 2010 @03:20PM (#34435396)
    Don't most email clients block remote images in the out of the box configuration? I know Outlook and Thunderbird do. Doesn't that make this pretty much a non issue? Yes, I'm failing to account for the Outlook 97 users out there...
    • yeah but most people click show images....

      • You don't really need a hidden 1x1 pixel someplace to generate information when you can just imbed the information in the get request for one of the big images, then, do you?
        • If the server serving the image is part of the analytic campaign,no you dont. However, most of the time, the analytics services are not provided in-house, but the big image is.

          • by icebike ( 68054 )

            But even in that case, it wouldn't have to be a 1x1 image.

            Any size image would do. The 1x1 bit is just to keep bandwidth down and allow the same image to be uses for every request, and to allow the insertion of the image to be done by the email engine without messing up the layout.

        • by sqlrob ( 173498 )

          You can strip the "for one of the big images". You just need the Get request. CSS, images, whatever.

        • by Anonymous Coward

          Why would you use an image to track an email campaign, when there are other filetypes that an HTML email client will load without asking?

          I once wrote an email campaign system in ASP.NET. One of the fun things you can do with .NET is create IHttpHandlers that handle an incoming request for a given resource, but have server-side executable code associated with them (without having to change any file type associations!). So I created a handler that updated a database with tracking stats and retrieved a 1x1 ima

          • Reading email in plain text thwarts all of those. I use Magic Mail Monitor to check my mail and open what I want to read in UltraEdit. May not get the message that the sender intended, but that's their problem, not mine.
  • by 140Mandak262Jamuna ( 970587 ) on Friday December 03, 2010 @03:25PM (#34435496) Journal
    Why read mail with html turned on by default? Turn on "dont show images" if your mail client allows it.
    • Both Gmail and Hotmail have images turned off by default - Yahoo might as well I don't know. So any of the regular web clients are safe enough.

  • Yet another reason I block images in Gmail.
  • How else would they have any stats?
  • I heard about this years ago. I am still waiting on my check from Bill Gates.
  • by digitaldc ( 879047 ) * on Friday December 03, 2010 @03:30PM (#34435602)
    Advanced Tracking and Trailing
  • Uh duh. This is why email clients ship with the viewing of inline images turned off.
  • 2003 called (Score:5, Insightful)

    by circletimessquare ( 444983 ) <circletimessquare&gmail,com> on Friday December 03, 2010 @03:35PM (#34435676) Homepage Journal

    it wants its story back

    this news is very old

    i read email text only. i'm not paranoid, i just prefer it. the conversion to text sometimes results in some really fugly emails, and they are always emails from businesses, usually ads. and i'm talking about valid businesses i have some sort of demographic contact with with my lame public email address (as opposed to my personal public email address, that i actually attempt to protect and actually pay attention to): starbucks, cvs, best buy, verizon, etc

    i pay attention to 1% of such emails, usually for half a second, when i scan this folder maybe once a month for any valid correspondence. but the image links always stand out since they usually burst the flow of text when converted to text. they are always something like 88daeef445bb23c1.jpg. never banner.jpg or greatoffer.jpg. it's always some unique code

    yes, every time you view an html email (with automatic image download), you are spied on. this should be of no surprise to anyone half awake, since this is true for i would say a decade or more as the normal status quo

    • by cfulton ( 543949 )
      No kidding. This is (has been) used by companies big and small since email started to be sent to customers. I don't believe that I have ever worked with an "email marketing firm" or product that didn't include this "feature". It is stale old news.
  • Vertical response, mail chimp, etc.. all commercial email marketing companies include a tracker. Its really not all that much different than websites tracking you, knowing that you clicked on their page at such and such time, except this time you are looking at the page from your inbox.

    • You'll also note that every URL on one of these mails is a redirect that has the ability to track which user and which email it originated from.

      They then use this info to generate click-through reports on what type of user did what with which email.

      I'll add this is very old news.

  • Don't Load Images (Score:5, Insightful)

    by StevisF ( 218566 ) on Friday December 03, 2010 @03:42PM (#34435818)

    Every e-mail client I've used in recent times doesn't load images by default. I generally assume that I am being tracked if I choose to load the images.

    • I think the more appropriate question is what person believe they aren't being tracked when downloading images from some server?

      Every Web transaction is tracked and when it loads images it downloads those images from a website which is tracking downloads. But the main question is who in their right mind doesn't realize that happens? I thought this was common knowledge. There is simply no way for a website not to know you are downloading images unless they turn off all tracking and that would make bug report

  • Isn't this the same thing built into's CRM? I've been using that for ages to see if prospects are reading the emails I send them.
  • by Anonymous Coward

    We send mass mails to people who have opted in. It's mostly just ads, with a little bit of genuinely-interesting "content" which is the ostensible purpose of the mail from the receiver's point of view. From our point of view, the purpose is to show the ads. The mails are HTML. I haven't looked too hard at 'em, because I don't personally read HTML mail, and also I'm not the guy who handles this particular part of our business. But I know it has at least one "web bug."

    Currently, the purpose for the web bug

    • by plover ( 150551 ) *

      Do you care as much about the recipients reading the email, or do you care more if they act upon it? I'd go for the tracking URL if it's the latter.

      As a recipient of such fine emails as yours, a web bug will never tell you if I got them or not as I long ago blocked linked image downloading. But if I'm interested in the content, I'll usually click on the tracking link rather than going to my browser and manually loading the related web page. If the email is useful to me, I don't mind rewarding the email s

      • Well first off, not a spammer - I sell very industry-specific solutions and I do my research beforehand so at the very least it's applicable to a prospect's role and business, etc. I was just saying when you send an email through, it typically (not always depending on how their EM is configured) shows me how many times they opened it and when the last time was that it was opened. I was just trying to discern what is new/different in the AT&T article from what I have used in SF for a whi
    • It's mostly just ads, with a little bit of genuinely-interesting "content" which is the ostensible purpose

      Is that something like plausible ostensibility?

  • The general population has lost much privacy and many freedoms. And the encroachment continues - accelerates even.

    But the fault is ours. We gave it all away for the promise of cheap baubles, entertainment and security. So many click still on the "get rich quick" eMail scams. So many happily use credit/debit cards to buy every little thing. So many willingly surrender their privacy & dignity - all for the vacuous promise of security. And deity forbid one gets in the way of TV entertainment. Use

    • The Web/Internet is not private, it is Public. Treat it as if you are in your front yard and your neighbors can see and hear everything you do or say. This is what I tell everyone.

      Inevitably they ask about email, which I say "it is like a post card", anyone anywhere along the chain can read it, and you'll never know.

      Treat the internet like it is public, not private, and you'll be safe(r).If you want to be "private" on the iNet you best be encrypting and making sure that only the person you're communicating

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        It's not Public, it's You Get Spied On Every Time You Connect.

        There's a big difference between the classical model of Public and today's surveillance-driven Orwellian nightmare. In your front yard, your neighbors can see what you're doing ... if they happen to be looking in your direction while you're doing it.

        On the web, everything you do is watched, tracked, and analyzed by a legion of machines bent on calculating ways to extract money from you ... or worse, whether men with guns ought to be sent to arre

      • by igb ( 28052 )
        Of course, the technique of using an image-load as a beacon to indicate message receipt would potentially work even if everyone encrypted everything.
  • Uhhh... Yes, as evidenced by the first sentence in the summary.
  • ... what is this web thing of which you speak?

  • I'd be surprised if any companies haven't been using tracking images as a matter of course for all their mailouts for the last 5 years.

    Having spent 6 years working for web agencies I can tell you that marketing people love to see statistics on their mailouts, even if they do nothing more than get a rough estimate on number of views.

    • Exactly. Since when did this start being considered "underhanded"? If this is underhanded, then it is also underhanded to track any of the activity of any logged-in user on a website. Legitimate businesses use that tracking information to better serve their customers. Let's not get confused. Spam is wrong, but it's not necessarily wrong to use a method that is also used by spammers.

  • Web bugs in emails are nothing new. For as long as there has been HTML email there have been web bugs. Every image you load could be considered a web bug because it's creating a log entry somewhere. The bugs don't need to be 1x1 transparent gifs though many tend to be just out of convenience. Almost all links now a days (and for a long time) run through some sort of click tracking tool as well, just like every search engine as well.
  • At least one solution is out there:

    Don't use webmail or web-enabled mail clients like Outlook. Mutt and Alpine and similar mail clients that don't interpret HTML are immune to this particular form of jackassery.

    You know that axiom about how security and convenience are inversely proportional? It's true. You have to set the slider where you choose to, and unless you're willing to write the perfect HTML-interpreting-except-for-web-bugs-which-are-differentiated-from-other-objects-somehow-but-is-still-Excha

  • I worked with this for 6 months. Learned a lot of interesting stuff about how people react to variations of emails.
    Short messages that are to the point works well, but so do some marketing tricks, such as scaring people, FUD.

    Since the company was never satisfied, and wanted everything I did as their exclusive property, I used mainly multiple overlapping test groups with random sampling. I would have preferred advanced modelling, which I am really good at, but did not want to loose rights to do that. I later

  • Copy the bug into your own messages, and swamp their stats base with crap.
  • I bought some train tickets from GNER, as they were then, and got signed up to their "newsletter". Since I'm hardly ever on that side of the country, I had no reason to even bother reading the thing. I never got round to unsubscribing from it, just deleted it unread.

    A few months back, I got an email from their successor, along the lines of, "We noticed you haven't read the newsletter in quite a while. Click here to stay subscribed, otherwise it'll stop coming." I thought that was pretty good; I always assum

  • by illogic ( 52099 ) on Friday December 03, 2010 @06:33PM (#34438534)

    People who send email newsletters (not spam) that people have signed up to receive, want to have analytics data on who reads their messages. Perfectly normal, not dastardly companies that offer email marketing platforms like Constant Contact, MailChimp, CampaignMonitor, etc. all include such recipient tracking by default. Not only by noticing whether or not somebody downloads an image in an HTML email, but also by rewriting all URLs linked in the message so that individual clicks can be registered. These are all recorded uniquely to each subscriber so the sender can tell who is interested in what content. Anyone who is surprised about this is out of the loop. This kind of information is very useful for the nonprofit I work for to understand which of our opt-in subscribers are interested in what content and how we can make our emails more useful for their work. []

  • Hammers can apparently be found in many residences. Can they be used for nefarious purposes?

    It's called split testing or multivariate testing and it's a perfectly legitimate marketing tool. If you don't trust a specific company, unsubscribe from its damn mailing list

  • I hate it too, but yes it is now considered socially-acceptable to harvest info from your readers via "bugged" images.

    About a year ago I was talking to a local party official about this, after I discovered the local party was doing this with its email list. He's a nice guy, but everyone who works there including himself is a volunteer, and none of them are particularly computer-saavy.

    I tried to explain to him that that kind of harvesting is a Bad Thing, but I don't think I had much success. Email is abo

  • Everyone does this! Since at least 10 years now !

    Have a look at, they sell this as a service and they do it well !

  • I receive all my mails using RoundCube webmail these days. It warns that an HTML e-mail contains images, and will only display them if you want to. If an e-mail demands a read receipt, you are prompted whether or not you wish to send that.

    The bottom line is that web bugs are not possible without the cooperation of dumb client software.

  • Receive an e-mail with smileys from a Hotmail user and your decent e-mail program will warn that the message contains images. If you choose not to display them, the e-mail is devoid of all emoticons.


  • I manage a mailing list for a client - it's completely opt-in, either in the retail stores or via the website signup forms.

    To keep current with what other companies are doing, I've signed up for dozens of email newsletters. I would say that at least 3/4 are using the equivalent of web bugs to track email open rates - it's not 100% accurate, but it's far better than nothing. It's a checkbox feature by EVERY major 3rd party email service provider.

    Actually, I've also examine a lot of SPAM - they do NOT do w

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal