How does Google's cleardot.gif track email recipients with a generic URL?
Matthew Harrington 
Some people and companies embed hyperlinked images in their emails in order to keep track of which recipients read the emails, and when. When the recipient opens the email and their email client asks the server for the embedded image, the sender gets a log of that. Usually, the URL to the image is unique, that way the image server can tell exactly which email just got opened. However, in many cases the URL is not unique. I have seen the following line in several emails from at least two senders:
<img src="">I have unencoded the string above into plain HTML. In the email, it is usually in quoted-printable format, so the = characters turn into =3D.
How does this hyperlinked image track recipients? It can obviously get your IP address and the time you opened it, but that doesn't seem very helpful. I don't understand why anyone would include this image without a unique URL.
32 Answers
The user identification (or tracking) does not need to be encoded in the GET URL. In some cases some information can be collected from the "Referer:" header URL. Though in many cases the information would come from cookies.
E-mail opened in a web browser
In my case when I open the URL
in Firefox, the browser sends 11 cookies! Most of them contain relatively long encoded or random strings. Here is the list --- URL the cookie lives with and the cookie names:
- ---
GX,GXSP(contains just a single letter) *.google.com---APISID,HSID,NID,OGP,OGPC,PREF,SID- ---
SAPISID,SSID
This test was done with profile on which I use my Google accounts. I also tested a private browsing profile which did not have any cookies. I opened and then the cleardot.gif URL and my browser was happily sending two cookies: NID and PREF.
E-mail opened in a mail client
Most of mail clients with a GUI use an existing HTML rendering core. For example Thunderbird uses Gecko (the same core as in Firefox). When a resource has to be accessed over HTTP/HTTPS (e.g. an image) cookies are sent the same way as in a web browser.
I checked which cookies I have in Thunderbird and I have the following ones:
*.google.com---NID,PREF
Both cookies can be found in Firefox too and according to the description provided by Google they are being used for storing user preferences and advertisement related tracking. Both works for users which are not logged into a Google account.
Thunderbird and Firefox do not share the same set of cookies. Your login to Google account in Firefox cannot be simply related to displaying of e-mails in Thunderbird.
Summary
Google can use the embedded image to get the information as you suggested and something more by using the cookies:
- IP address and geographical location
- time of displaying of an e-mail
- type and platform of the client software
- assigning the events to users (by utilizing cookies)
- assigning the events to a Google user when the e-mail is displayed in a web browser or possibly when the user clicks a special link in the e-mail to open it in a web browser
It seems that the tracking image is being used for collecting statistical data, not for tracking behaviour of individual Google users.
Here is description of some of cookies used by Google, another description from a 3rd party: Main cookies used by Google.
2Check out Christopher Heng's Image Guard Script. The link will help answer this question as well as teach you how to build one.
Edit 2021-July 11 Below is the resulting email from the the code that follows. Many thank to the above link that taught me how! Please note I honored his request not to redistribute until the down vote to this answer.
{Email} en43/PM/Do Not Send resources
grepotrax.webege via srv41.000webhost.com Nov 29, 2013, 5:10 AM to me
WARNING:
viewed en43/PM./Do Not Send resources traffic.forum.png 72.89.191.58
{END Email} Was produced by this code. That I learned how to make at above link
<?php
$agent=@$HTTP_USER_AGENT;
$ip=@$_SERVER['REMOTE_ADDR'];
date_default_timezone_set('America/New_York');
$date = date('m/d/Y H:i:s ', time()); // Human Readable
$unix = time(); // based on seconds since standard epoch of 1/1/1970
// ---------------- CONFIGURABLE SECTION -----------------
// Where is this image guard script placed in grepolis forum?
//------------------------------------------------------------------- $ig_name = "IG.19.12"; $world = "us19"; $tab = "Res"; $thread = "Resource Requests"; $forum = ($world ."/" . $tab . "/" . $thread);
// Please modify the following or it will not work on your website.
// Where did you actually put your images?
// Make sure that the path you put below ends with
// a directory slash ("/"). The script below assumes it.
// $imagedir = "/put/your/full/image/directory/path/here/" ;
//------------------------------------------------------------------
$imagedir = " " ;
// What are the websites (hostnames) that can use this image?
// If your site can be accessed with or without the
// "www" prefix, make sure you put both here. Do not put
// any trailing slashes ("/") nor any "http://" prefixes.
// Follow the example below.
//------------------------------------------------------------------
$validprefixes = array ( "", "grepotrax.webege.com") ;
//What is the main page of your website? Visitors will be directed here
//if they type "" in their browser.
//$homepage = "" ;
//------------------------------------------------------------------
$homepage = "";
// What is your email address?
// If you want to be informed when someone tries to use
// this script to access an image illegitimately, you
// must uncomment (remove the "//" prefix) from the following
// line and change it to point to your email address.
//------------------------------------------------------------------
// $email = " " ;
function isreferrerokay ( $referrer, $validprefixes )
{
$validreferrer = 0 ;
$authreferrer = current( $validprefixes );
while ($authreferrer) { if (eregi( "^https?://$authreferrer/", $referrer )) { $validreferrer = 1 ; break ; } $authreferrer = next( $validprefixes );
}
return $validreferrer ;
}
//----------------------- main program -----------------------
$image = $_GET['image'] ;
$referrer = getenv( "HTTP_REFERER" );
if (isset($_GET['image'])) {
if (empty($referrer) || isreferrerokay( $referrer, $validprefixes )) { $imagepath = $imagedir . $image ; $imageinfo = getimagesize( $imagepath ); if ($imageinfo[2] == 1) { $imagetype = "gif" ; } elseif ($imageinfo[2] == 2) { $imagetype = "jpeg" ; } elseif ($imageinfo[2] == 3) { $imagetype = "png" ; } else { header( "HTTP/1.0 404 Not Found" ); exit ; } header( "Content-type: image/$imagetype" ); @readfile( $imagepath );
}
else { if (isset($email)) { mail( $email, "us19/Res/Resource Requests", "WARNING:\n\n$referrer\nviewed $forum\n$image\n$ip", "From: grepotrax.webege <$email>" );
// test 15-Oct 2013 1.31 WD
// Info to be sent to the table forum_tracker
$query = "INSERT INTO us19_forum_tracker VALUES ('','$unix','$date','$referrer','$ip','$forum','$image','$ig_name','','')";
// Make a MySQL Connection mysql_connect("mysql14.000webhost.com", "a8440417_wuzla", "MYPASSWORD") or die(mysql_error()); mysql_select_db("a8440417_Grepo") or die(mysql_error()); mysql_query($query); mysql_close(); } header( "Content-type: image/png" ); @readfile( "" );
//OR NEXT LINE IF COLOR IS WRONG
//@readfile( "" );
}
}
else {
header( "Location: $homepage" );
}
//FORUM LINK IN IMAGE TAG
[img]
?>Note the above script is as old as the question. This was before I knew we could use invisible boxes :) CREDITS TO THE SITEWIZARD.COM for teaching me how to use an image to to track anything I want if you were not using a VPN. Back then I could use your browser history check for link:visited status to find if you used facebookcom, walmart.com or AARP.com and base the rest of what you might see off that info. Not cool just like this script I did not want to make so easily available considering it is just the tip of an iceberg.
Reading it appears I am permitted to use the script above connected to an image I set the size of right here on superuser.com 1px 1px transparent maybe.
Nothing stops me from collecting website address, question being viewed anything in the address bar along with the visitors browser, IP address, how they got here and a completely terrifying number of other things.
A require statement server side could be used to make sure the image will only show if example.com is open in a browser tab. Just so happens I can go hunting for all sorts of stuff with that.
Can I embed a google sheet to live feed the results here too?
Down Vote put me on a tirade and close to seeing just how vulnerable my information is on the stack exchange family of sites. I am no threat to anyone and just dont have interest in a stack attack to prove a point. I can get a text message every time this page is viewed!
How did I end up here in the first place?... 25 Edits later
1
