Difficult to feel pity for business models built on abusing HTML capabilities to track email viewing.
I don’t load remote images by default, so this already doesn’t work for me. However, basically every mail platform creates tailored links to track click engagement. So you’re screwed anyway, just maybe a little later.
> However, basically every mail platform creates tailored links to track click engagement.
Yep, even financial institutions do this and half of them don’t even use domains they own for the tracking links.
Years and years of “don’t click on suspicious links” out the window because bank.example.com/creditcard is turned into 4828fjfneo848.totallyfine.adtracker.thirdparty.example.org
I hate all of it but nobody seems to give a shit (nor do they care to implement proper 2FA to effectively guard against phishing) so whatever. If people have their accounts drained because marketers gotta get that sweet engagement metric, what does it matter any more?
My work touts the "look at links before you click!". But they also auto forward all email links to a service that scans the link for malicious stuff. The result is that when I hover over a link, I get a REALLY long url, like: https://urldefense.company.com?link=blablablablablahlablabla......
This is pretty common and something that bit us last year - enterprise Outlook 365 (or some extension? idk it was def only O365 though) added some security features that would make a HEAD request to any links contained in an email. This messed up our (admittedly antiquated) process for activating users and resetting passwords as it consumed the one-time code our systems generated for them, as you mentioned. Because the app that handled this was old and in the process of replacement we didn't want to invest too much time in rewriting it all, so a quick and easy fix was to have a handler specifically for HEAD requests to those activation and reset resources. The link protection started issuing GET requests a little while after, so we ended up having to add an extra confirmation step so the user had to click something after the link was followed.
To be honest the original process we had maybe wasn't 100% perfect - users can double click links for example, and would see a message that the link had "expired". So from a UX perspective we maybe should've had the extra confirmation step before activation/reset to begin with. But I'm in two minds over email providers following all the links in your emails, it feels a bit creepy
Wow, this behavior seems perfect for sneakily verifying that an email was received. And the user can't do anything against it. It's not a perfect replacement for tracking pixels, though, if you want to figure out whether an email was opened. Creepy.
I don’t think it would be that useful to be honest. I don’t think it happens when the email is opened by the end user, but some point during the delivery process. And even then you’d only find out from some email providers - not everyone does it
I read it as anyone – including spammers – who puts link in will get a head request to it from the email provider, thus providing information – even if just that the address is real.
However, the absence of a bounce probably also does that, albeit less reliably.
Does anyone actually send links like that? Any competent programmer will make the link expire on an interaction, not on load - there are some many things that could cause a link to receive a GET request, but where the use wouldn't actually be able to interact with the page.
Using GET for non-idempotent generally considered bad, but it seems that email is a place that non-idempotent GET is still used. I often see it on unsubscribe link.
Those are meant to load a page with a confirmation form that makes a POST request. The GET link can still expire over time, but must never be expired from a GET request: you never know when a link preview bot is going to follow links.
It's easy: I set a rule in Mail that flags every email containing "Unsubscribe" or related terms with a red flag, and I review and mark them as junk when they show up. Every newsletter is spam because I would never ever sign up for one, regardless of whether I do business with the sender. Either they are illegally mailing me spam from some list that they purchased, or they hid their "please don't send me bullshit" opt out when I signed up for their services, because I would never ask to receive marketing or product updates. It's all spam.
When I unsubscribe from a mailing list I know I didn't sign up for, I'll also hit the report spam button in the hopes it gives them some negative gmail juju.
Depending on where you do it, yeah, it works. In the gmail interface for gmail, but also in the unsubscribe reason box for the sending platform. Both work.
Do both, but definitely do the spam report via Gmail or your email provider because that dings the platform they use as well. Without a threat to their mailability, they'd have no incentive to keep their customers (the person spamming you) honest.
And more and more often, unsubscribe links go 403 or even 500 when on Tor or well-known VPNs, while the rest of the site works fine on it. A great way to make me never want to deal with you again is to coerce me to doxx myself to unsubscribe from your newsletter.
It's not uncommon for the unsubscribe links to live on the same domain as the link tracking and other features of whatever email or marketing automation platform they are on, so if those are blocked to prevent tracking, the unsubscribe links would be as well.
> Years and years of “don’t click on suspicious links” out the window because bank.example.com/creditcard is turned into 4828fjfneo848.totallyfine.adtracker.thirdparty.example.org
I got an email from my bank (Barclays) a couple of months ago that literally took me several minutes to determine whether or not it was a phishing email.
It wasn't, but it used badly compressed jpegs for the Barclays logo and the call-to-action button, the link attached to the button had no verifiable connection to Barclays, and for some reason it used backticks instead of apostrophes in the copy.
When I finally did click the link I was half expecting to be taken to a page saying "you moron, this is obviously a scam" in 96pt font.
I spend about 10 seconds at most thinking about if my bank sent me a spammy looking email and then separately go to the bank site and look for whatever they were supposedly talking about.
I just don’t click on those links, except on accident because some jackass made it impossible to copy/pasta the URL on my mobile device because I couldn’t see what the URL was in a preview window.
The MFA we commonly use right now won't protect against phishing because, as I suspect you mean, the codes are not protected against being entered into the "wrong" site.
Proper MFA, like U2F/FIDO2/whatever-it-is-called-today, will protect against phishing because the visited site won't match the hash needed to complete the second-factor-auth-flow.
Yes it does, maybe not directly. Two examples, both 1Password and my Yubikey only autofill passwords based on the domain. I immediately get a tingle when I go to autocomplete a commonly visited website and it doesn't fill ... time to immediately inspect the URL for phishing etc. Those tools have definitely saved me multiple times.
You get what you measure, so relying solely on clicks to measure interest is going to drive email products toward more clickbait designs and content—reversing a nice trend over the last few years to put most/all of the content into the email itself.
Clicking links doesn't sound like the sort of thing that email servers would know about one way or the other. Likewise for engaging (or not) with emails at all. What setup do you have in mind where this is the case?
Given that AFAIK Apple Mail downloads entire messages regardless of whether they're opened, Apple's change here doesn't seem likely to affect delivery rates in this way anyway.
Your IMAP server doesn't report read status back to the sender. Unless your e-mail provider is an advertiser *cough* Google *cough* the advertiser doesn't know if you read a message just because the IMAP server marked it as read.
Also an IMAP server's read status doesn't mean someone manually interacted with an e-mail. If you mark messages as read in bulk, even if the provider reported that status to an advertiser, says nothing about engagement.
You can request a read receipt with emails, which will cause the MUA to send an email saying you've read the message (although I suspect most clients default to asking you if you want to send it before doing so).
I think that it would be better using NNTP and plain text, and then these problems are avoided anyways. Then the sender need not keep track of these things or to worry about the things that you mentioned, I think. Also can be good to include the text in the message if you can do and not usually needing a link, you can then access it even if you are not connected to the internet, too.
(I use email software that is not even capable of HTML email, and I don't want HTML email.)
Outlook killed NNTP 20 years ago by virtue of not supporting it (every other mail client at the time did).
it also suffered as a discussion medium because of the decentralized unauthenticated measure, for sure - I don’t think the global hierarchy would have done much better than it did.
But two companies I was consulting for around 2000 had very effective NNTP internal servers, and both switched them off around the same time because Outlook didn’t support them (Outlook Express did, but that’s not helpful)
One just went the “reply all” route. One used a mailing list (majordomo, iirc). Neither worked remotely as well as NNTP did.
NNTP does support authentication (with username/password or with SASL), although I don't know which client programs implement it (my own currently doesn't, although this could be fixed in future).
You could use a mailing list and/or web forum with the same messages as the NNTP. I have my own NNTP server software with partial implementation of a web forum but none of a mailing list yet; I would hope to fix this. Other software might already do this, I don't know. (I know there are programs that can duplicate the messages and make them available, but I don't know if there are those that will use the same message database for all three and/or that will use NNTP as the "main format".)
Synchronet might be able to do it; I know it has many functions, including Telnet, NNTP, email, IRC, FidoNet, HTTP(S), SSH, Gopher, PETSCII, etc. There is a web forum too. (As far as I know, it doesn't have Gemini yet.) However, Synchronet is a complicated software, and is designed for a BBS and might not be what you wanted, so having other software can be good if a BBS is not the kind of service you intended to run, I think.
The authentication/federation problem is what killed the public nntp use even among the non-Outlook users; But it was Outlook that had killed it among corporate and professional users. Those are two independent issues.
Gmane[0][1] did bidirectional nntp to mailing-list in 2002; But there's a mismatch, both technical and cultural, with these gateways.
Also, in an internal system, the IT department has to be willing to support them, and they weren't in my cases.
It's now water under the bridge. NNTP is essentially dead except for legally questionable video distribution.
Can you elaborate a bit how your mailbox provider knows about click/engangement rate?
E.g. why would Fastmail have any metrics on how their users interact with the mail they receive?
I see everybody calling out that one should keep a clean subscriber list (e.g. only keep engaged users) but I fail to see this is relevant to the actual mail acceptance/inbox delivery.
Is this annoying? Do you still want it if there's nothing in it you want to engage with?
Or are you saying you want to read it, but take no related actions on it?
I would absolutely love to be automatically unsubscribed from everything I don't engage with.
I get tons of kinda-sorta-legit marketing emails due to a very old generic gmail address, and people being bad (or lazy) at entering addresses everywhere.
(Also tons of actual email meant for other people, but that's another story)
Often I read it but take not actions. Or just look up related things without following links.
Good newsletters often have lots of valuable content in the email. Sometimes there are interesting links, sometimes there aren't. If I don't want it anymore I'll unsubscribe.
It feels a lot like why we can't have nice things. If people just hit "Spam" instead of unsubscribing than this overly-cautious defense of senders becomes necessary. Luckily GMail at least has started pushing the unsubscribe feature somewhat, so maybe that will help out. But for now I am being punished because a lot of people mark things that they asked for as spam.
Why can't apple just allow some kind of pixel that doesn't reveal user identity, or strip user identity from what's already being used.
I don't really mind someone knowing I opened an email, just like I'm fine with a website knowing I visited (say using plausible.io rather than google analytics). I get that that's useful to them for non-nefarious reasons.
"Read receipts" are already part of e-mail and supported by every email client I am aware of. There is already a well-supported way to track whether e-mail has been successfully opened or not without using subversive tracking pixels.
The reason businesses don't rely on them is supposedly because "too many users disabled or rejected them during the past decade".
I feel like there is a body of literature waiting to be written about businesses refusing to take a hint in favor of user-hostile decisions. These things are conscious choices by the senders and they had several meetings about it.
Apple can't strip identity from the existing trackers because there's not a separate and distinct part of the tracker that encodes the user identity. It's integral to the tracker itself, which makes this an all-or-nothing proposition.
The image filename is a UUID. The UUID is of course unique for each email sent, but the Web server is configured to serve the same image for any given UUID (after recording the UUID as an "open" into a database).
There isn't a way for an email client to be certain that the image is or isn't a tracking pixel.
> I don’t load remote images by default, so this already doesn’t work for me. However, basically every mail platform creates tailored links to track click engagement. So you’re screwed anyway, just maybe a little later.
Right, but I don't mind if companies I'm actually doing business with track my engagement. For newsletters I've actually signed up for, clicking the "load remote images" and/or on personalized links helps them with their business model, so why not? If I don't trust them with the data, I probably wouldn't sign up for their list anyway.
I'm more worried about randomly being tracked by who knows what person or organization. With the "don't load remote content by default", I have control over when and how I get measured.
I noticed that WikiPedia does something that would work for you; if you don't login and click the link in the email, they stop delivering wiki page change notifications.
I don’t load remote images by default, so this already doesn’t work for me. However, basically every mail platform creates tailored links to track click engagement. So you’re screwed anyway, just maybe a little later.