It turns out that one of the methods HP investigators used was a service called ReadNotify. It’s a tracker that tells someone when an email is open by a designated recipient. Basically, it drops a small amount of html code into an email that reports back when you’ve opened the email (this is usually referred to as a web bug).
Email spyware? Yes, and remember that if you subscribe to newsletters and the like, chances are that email’s delivery is already being tracked through web bugs. And spammers have certainly used this trick to track what email addresses are live. But Readnotify is a little scarier — it’s not some nameless tracking of broad open rates on emails — it’s someone who is personally tracking the emails they’ve sent you.
Creepy? Yup.
Using ReadNotify is fairly straightforward (after you signup with their service): You can either download a plug-in, or you can simply append “.readnotify.com” after the end of an email.
The email looks normal, so the only way you can tell if you’re being tracked is by looking in the message header.
Or, if you read messages in plain text, you’ll see the web bug they put in the email, and can readily see if you’re being tracked (and also, if you’re in plain text, the tracking won’t work). The emails will also ask you for a Return Receipt (which I routinely ignore, despicable things that they are).
However, if you prefer to keep reading email with pretty fonts and graphics (as opposed to plain text, which is always the safest method), you can create a simple Outlook rule to look for Readnotify.
For example, you could create a simple rule in Outlook which puts a colored flag or some time of visual cue whenever someone sends you a Readnotify message. It’s not perfect, but it’s a start.
Simply create an Outlook rule, select “with specific words in the message header” and then add the following strings:
readnotify.com
readnotify
emsvr.com
(If you need help creating rules, twclark has a nice explanation of creating x-header rules — at least for spam — here.)
Also, turning off images in your email program should stop the notification to Readnotify as well..
As a side note, Emsvr.com, related to readnotify.com, has one of the creepier websites, using “The great leap forward” to describe their service. Never mind that the term “the great leap forward” is generally associated with Mao Tse Tung’s disastours attempt to rapidly advance China, leading to the deaths of, oh, about 14–20 million Chinese. The site also inserts “We hope you enjoyed your www.emsvr.com site visit” persistently into your clipboard.”. Like I said, creepy.
I’m sure some enterprising fellow will think up a better Outlook rule than me, so feel free to drop a comment if you’ve got a better idea. And keep in mind these rules will only work for Readnotify, and not other email tracking services — and will only work as long as Readnotify puts that domain into the email.
Alex Eckelberry
