Email Tracking: How Email Gets Tracked


Email Tracking: How Email Gets Tracked

Introduction

Whether you’re trying to track someone or if you’re tracking some user’s actions and activity (maybe in an email campaign), methods are the same/similar. Email tracking actions:

email tracking (if it’s opened/read)
event tracking (if link is clicked)
recipient’s IP tracking

Email Tracking: How Email Gets Tracked

Simplified, by placing an image into the email content (HTML), sender can track some of previously mentioned parameters (opened emails, clicked links, IPs, etc). The image is often invisible, a single pixel gif (referred to as web beacon). Opening an email will trigger image load from a remote server, which will consequently lead to “email open” detection and/or tracking of a recipient’s IP (in some cases).

In large email campaigns, to make a distinction between the users/emails, the loaded image name (or its parameters) usually contain some user related information (id, hash, etc). Additionally, you can place a link within email (Start here, Follow up, etc) and trace users response rate or email campaign success rate (emails sent vs open emails vs click rate).

Email Tracking Example (PoC)

We need to include a single pixel gif/image in the email via an image link, for e.g.:

<img src="https://<TARGET_DOMAIN>/webbeacon.php"
/>

To generate a single pixel gif/image web beacon in PHP ( webbeacon.php):

<?php echo base64_decode("R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=="); ?>

Next, to send email, we can use system’s mail configuration and sendmail. First, define the content of an email (HTML):

From: <Source/System Email Address>
To: <Target Email Address You're Going TO Track>
Subject: Tracking Email Example
Mime-Version: 1.0
Content-Type: text/html

<h1>Test Email Example </h1>
The mail body.
<img src=" https://<TARGET_DOMAIN>/webbeacon.php" />

Next, pipe that content into the sendmail command:

$ cat content.html | sendmail -t

When user receives that email, the email client will usually trigger the image request or in this case webbeacon.php. The image will not be visible, but nonetheless the request will be triggered.

With this, you can track if email is opened or catch recipients IP address. To track some event (like a link click), you’ll have to add it in the content and adjust/create a new PHP file to process it.

Note: some email providers/clients can cache an image (for a month), so additional emails might not trigger the “webbeacon” fetch.

Email Tracking and Email Client Support

The market share of email clients is surprisingly leaning towards Apple. Rough estimate of the current market share:

  • Apple Combined: iPhone/iPad/Apple Mail (42%)
  • GMail (30%)
  • Outlook / Hotmail (10%)
  • Yahoo (6%)
  • Google android (3%)
  • Samsung Mail (1%)
  • etc.

To get back to the previous point, tracking the email is not supported by all email clients. To confirm this manually, we can send an email to any of these clients and monitor the log file of a web server (apache/nginx). The log will clearly show which email clients “enable” tracking and which don’t.

IPhone Apple Mail Tracking

Opening the email in IPhone’s Mail Client produces the following output in web server’s log:

xxx.xxx.xxx.xxx - - [21/Sep/2019:23:58:43 +0000] "GET /webbeacon.php HTTP/2.0" 200 28299 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"

Although email belongs to Google (@gmail.com), we are receiving the correct IP of the target’s IPhone/Network (xxx.xxx.xxx.xxx). Apparently, there isn’t any pre-processing by Google MX servers. Email client processing is completely independent.

  • Email (Open/Read): Yes
  • Event: Yes
  • Recipient’s IP: Yes

Google Mail Tracking (Gmail)

Opening the email in GMail:

66.249.81.157 - - [21/Sep/2019:23:58:44  +0000] "GET /webbeacon.php HTTP/1.1" 200 61 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)"

Google is relying on the proxy to fetch remote images (GoogleImageProxy), thus failing to provide the recipient’s IP. The 66.249.81.157 is the Google’s proxy IP.

  • Email (Open/Read): Yes
  • Event: Yes
  • Recipient’s IP: No

Outlook Mail Tracking (Hotmail)

Opening the email via hotmail/outlook web client:

xxx.xxx.xxx.xxx - - [21/Sep/2019:23:58:45 +0000] "GET /webbeacon.php HTTP/2.0" 200 150 "https://outlook.live.com/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

In this case, we’re receiving the recipient’s public IP (xxx.xxx.xxx.xxx)

  • Email (Open/Read): Yes
  • Event: Yes
  • Recipient’s IP: Yes

Yahoo Mail Tracking

Opening an email via Yahoo mail account:

212.82.108.87 - - [21/Sep/2019:23:58:46 +0000] "GET /webbeacon.php HTTP/1.1" 200 61 "-" "YahooMailProxy; https://help.yahoo.com/kb/yahoo-mail-proxy-SLN28749.html" 

Yahoo also relies on proxies to fetch remote images (YahooMailProxy), thus failing to provide the recipient’s IP. The 212.82.108.87 is the Google’s proxy IP.

  • Email (Open/Read): Yes
  • Event: Yes
  • Recipient’s IP: No

Other/Private Email Clients Tracking

When it comes to some popular clients (rainloop, roundcube) loading remote images is “disabled” by default (deosn’t work), with the option “Display external images” for users to select manually (making all this work).

xxx.xxx.xxx.xxx - - [21/Sep/2019:23:59:48 +0000] "GET /test.php HTTP/2.0" 200 150 "https://www.<DOMAIN>.com/mail/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" 
  • Email (Open/Read): Yes
  • Event: Yes
  • Recipient’s IP: Yes

Email message JavaScript support [Additional info]

Aside from email tracking, JavaScript execution presents significant security vulnerability. The protocol or explicitly address scripting (RFC2854, within the text/html message body type) supports JS:

In addition, the introduction of scripting languages and interactive capabilities in HTML 4.0 introduced a number of security risks associated with the automatic execution of programs written by the sender but interpreted by the recipient. User agents executing such scripts or programs must be extremely careful to insure that untrusted software is executed in a protected environment.

..but luckily, it’s not usually supported by the email clients. Some users out there reported that the Thunderbird 52.4.0 with “Original HTML” setting ignored the JS <script> document.write('Test alert'); </script> in test emails. Same went for Outlook for Android 2.2.44, K-9 for Android 5.208, Gmail webmailer (tested 06.11.2017) and Roundcube webmailer 0.9.5. So, In general or for most (modern) clients, JS doesn’t work.

Conclusion

Aside from potential stalkers and/or spammers abusing this, trying to find you or to confirm your email address is an active one, it’s a pretty useful skill to have in your skillset.

In any case, we should all be aware of it.

Simply by opening an email, on some email clients/apps you can reveal your location to the sender, confirm that your email address is an active one or simply that you’ve seen that email. Since protocol “allows” JS, in some clients attacker could potentionally even gain an access to the email account itself (session stealing). Further on, by getting an IP address of a recipient you could, depending on your social engineering skills, potentially convince the ISPs to reveal user’s real address. Numerous dangers, no doubt.

We’re all lazy, but we should pay a bit more attention to this, especially if someone’s in “hidding” (from abusive husband) or maybe doing something “illegal” (tracking a safehouse your wife resides in). We should all check if our email clients support options to disable images/JS. If not implicitly, we could try and find the tools that do (supporting extentions, libraries, etc) or we can ultimately change the email client and find the one doesn’t allow email tracking (implicitly or explicitly via options).