An HTML-only email from a gov agency has a logo referencing an URL that looks like this:
https://1wy1y.mjt.lu/tplimg/1wy1y/b/l9hl7/g3q3v.png
It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like (their office domain)/files/logo.png. But then they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to me, perhaps to keep tabs on when I read the messages.
The output of torsocks curl -LI
looks like this:
HTTP/2 200 date: (exactly now) content-type: image/png accept-ranges: bytes
That’s it. It’s the shortest http header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel – it’s a logo.
The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?
Are there any other checks to investigate this?
key@lemmy.keychat.org 8 months ago
Mailjet’s documentation indicates they use an explicit pixel image for tracking email open status and that can be turned on or off in account settings. However it also indicates they put all images included in an email template through the same infrastructure as tracking links. So most likely they record the view but whether that usage data is retained and available to the gov agency is hard to say without making an account with Mailjet and testing.
coffeeClean@infosec.pub 8 months ago
I was imagining how a well-designed mail client might detect likely tracker pixels and signal the user. If MUAs were sufficiently evolved, that kind of convenience/sloppiness of transmitting tracker pixels but then putting the switch somewhere on the server wouldn’t fly. Anyway, I appreciate the insight. It certainly raises a transparency issue.