An HTML-only email from a gov agency has a logo referencing an URL that looks like this:
https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png
Itās not exactly that (apart from the domain) but of course itās rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like ā(their office domain)/files/logo.pngā. But then later they switched and every message from them is the URL in the mjt.lu domain. Itās not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.
The output of torsocks curl -LI looks like this:
HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes
Thatās it. Itās the shortest HTTP header Iāve seen. Thereās no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldnāt just be a pixel ā itās a logo.
The date is also suspect. Shouldnāt the date be the date of the object, not the current time this second?
Are there any other checks to investigate this?
You must log in or register to comment.
Mailjetās documentation indicates they use an explicit pixel image for tracking email open status and that can be turned on or off in account settings. However it also indicates they put all images included in an email template through the same infrastructure as tracking links. So most likely they record the view but whether that usage data is retained and available to the gov agency is hard to say without making an account with Mailjet and testing.
If youāre concerned, just turn off images for untrusted senders in your email client.
I was imagining how a well-designed mail client might detect likely tracker pixels and signal the user. If MUAs were sufficiently evolved, that kind of convenience/sloppiness of transmitting tracker pixels but then putting the switch somewhere on the server wouldnāt fly. Anyway, I appreciate the insight. It certainly raises a transparency issue.
Honestly without a copy of the email file with all the information included Iām not sure whatās going on here based off your description. You say they have a logo āreferencingā this oddball url (btw itās a hosting company, seems theyāre owned by OVH in France)
What does referencing mean exactly? Are you saying this url is the source listed in the email of the logo/tracking image?
Itās possible thats the logo is used for tracking but I wouldnāt go drawing any conclusions outside of that hypothesis. Tracking pixels are pretty commonplace in emails both by businesses and by govts. Why? Because the communications and outreach folk care about metrics like how long you read an email and if you made it to the bottom or not, etc.
Based off what I do see here/understand in your case, this does seem to be a tracking pixel, but I canāt stress enough not to let your mind run off and start making further assumptions based off this singular fact.
Donāt let worry/anxiety blur any lines in your head between what you know and what you suspect/predict.
- An infosec guy who has talked to waaaaaaaay too many people struggling with schizophrenia/paranoid delusions/etc
What does referencing mean exactly?
Sometimes HTML email comes with the logos and objects needed to render it, sometimes not. When the objects are included itās possible to render the message while offline. In the case at hand, the logo was not included and the HTML body defined a logo with that unique URL inside
imgtags.In the very least, if we assume the tracking is appropriate and that itās consistent with the privacy policy and ToS I agreed to, I would still find it objectionable that a government would conceal the fact that they are using a tracker pixel/image by withholding the content-length header. The gov should be transparent about what they are doing. They should even disclose in each such message āwe have a tracker pixel in hereā, for transparency which should not be an issue if itās legit. I personally need the content-length header because Iām on a shit internet connection and have a need to know how big something is before I fetch it. So Iām disturbed that all Cloudflare sites (which is like Ā½ the web now) withhold the
content-lengthheader. The agency at hand is sloppy with privacy and probably sloppy with everything. Itās not necessarily malicious but nonetheless Iām not going to lower the standard by which they should be held to.Right right, I know how html tags and all that works just wanted to make sure we were for sure both talking about the same thing thatās all. Wasnāt verbiage I normally see so I verified quick
And this 2nd part you have here makes total sense with me and I fully agree, just wanted to make sure I wouldnāt be inadvertently causing any harm to you if you were struggling with paranoia or anything like that, thatās all. Hope I wasnāt coming off as too dismissive!!
if you run a whois on the domain, it turns out it belongs to mailjet. they are a big service provider for bulk emails, notifications, stuff like that.
my guess is this is their cdn or something similar. you can see the ā1wy1yā string in the URL path as well as a sub-domain. thatās most likely the customer ID or ātenant idā for the gov agency inside the mailjet cloud. also guessing that ātplimgā could stand for ātemplate imageā or similar, indicating that they have an email template with this image always being there. which makes sense if itās a logo.
as for the curl call, i tried to open the url in a browser, but it just sends an empty response, thatās why you donāt see a content-length header. i guess mailjet checks where the url is being called from, either with user-agent or some custom headers or whatever, so it only loads if you actually open the email. this prevents unnecessary traffic costs for them.
i donāt think there is anything wrong here, just laziness on the gov agencyās side. they could have created some sub-domain that is an alias pointing to this mess. it wouldnāt cost anything.
as for the curl call, i tried to open the url in a browser,
I scrambled it for my own privacyā¦ so that would not work. But I preserved the structure well enough that your insight was helpful.
Make another account to see if a different user/email address gets a different URL, which would indicate that it is used to track users.
Thatās cheating. I wish it were that easy but I really canāt create another account for this. I will ask around if anyone else has an account so we can compare notes. But I was just wondering if there is anything else I can do in a solo investigation to get more clues. It would generally be a useful skill to detect messages from other senders as well.
I did a search on the domain to see if itās a known service that sells tracking capability but that came up dry.nvmā¦ it seems mailjet.com is behind this and they appear to be pitching analytics services.
No idea what you put here, canāt see it on my app. Could you try a screen shot instead?
Not op but here you go mate.
Youāre a rock star thanks
Given the post is about tracking via an image I thought you were making a joke by asking for the post as an image š
Lmao
I would ditch an app that canāt handle text. You want a screenshot of what, curlās output? Iām on a shitty connection with images disabled so itās a bit of a hassle and uses my allowance.
Itās lazy input sanitization, and until someone makes a better app, this is what I got unfortunately.
Canāt you ditch your poor connection to benefit my ass and my busted ass app? šš (laughing emoji, tongue sticking out emoji in case you canāt see em)
emoji works, just not pics. But thankfully someone on a proper connection handled it.
