Privacy: Don’t let Gmail show images by default

Recently Gmail started caching all images sent to its users and by default will now display them when you look at your email. At first glance it seems like a good idea. It protects your IP address, stops the sender dropping cookies in your browser and possibly speeds up image loading for you. What it doesn’t do is stop the sender knowing that you opened the email. Your privacy is at risk if you enable this. Marketing efforts just became a lot easier.

A carefully crafted image filename will let the sender know that a particular user viewed his spam email, even if Google host the file on their own servers. Google has to fetch the file from the sender’s server and that will contain a number or string identifying that user.

http://example.com/logo.jpg?email=joe@example.com

As soon as that image is opened by Google the sender knows they have a valid email address.

How easy is it to track usage? It’s simple! I wrote a plugin in 2007 called blog voyeur that could track visitors who viewed my blog through RSS readers if they had left comments here. (I’m not using that plugin any more, don’t worry, your anonymity is safe!)

The documentation on the new settings says as much but I doubt many people will look there.

In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.

Gmail does a good job of spotting spam but legitimate email can contain these tracking images too. I get promotional emails from companies I’ve dealt with. I would much rather they not know when I open or even if I have opened their emails. If I wanted them to know, I’d tell them.
So, when you see that popup informing you that images will be displayed, click on Settings and disable image loading.

disable-images

Who gets your data after death?

I have to admit that filling in the inactive account settings for my Google account gave me the shivers. There’s not much that would stop me logging into my Google account for more than 3 months. It would have to be one of the following:

  • Trekking through a rainforest pursued by secret agents monitoring all radio communications.
  • Lost on a desert island with only 80′s computer equipment to keep me amused.
  • In a coma after a botched attack by terrorists who are hell bent on killing open source developers.
  • Dead.

None of the above are very appealing options but at least one is as inevitable as, err, taxes, so it must be faced.

I added a trusted contact and was then presented with a popup asking for a subject and email body. Writing that was unsettling but I hope more services do something similar. I’ve heard too many horror stories about Facebook accounts that have been frozen on the death of an account holder.

You can choose what data is or isn’t shared with a contact. Included is Latitude, which has tracked my whereabouts for the last 2 years and will continue to do so. It makes me wonder how my descendants will cope with the deluge of information. It may very well end up as an anonymous zip file on someone’s computer I guess.

The list won’t be frozen in time either. Do I add my siblings? What about my son when he’s older? What age? I should set a calendar reminder for his 18th birthday. I’ll have to warn those trusted contacts because Google sends an email and a text message when the account goes inactive. Like a letter from the grave.

A really simple way to archive your Tweets

  1. You have a gmail account don’t you? Visit Google Reader now.
  2. Click on the “Add a Subscription” button.
  3. Type in the web address of your Twitter profile. Mine is http://twitter.com/donncha.
  4. Click Add.
  5. There is no #5.
Since Google Reader doesn’t have the 3,200 post limit that Twitter has you can always get access to your old tweets, even when you go over that limit. On the downside, your Twitter account can’t be private and Google will find out yet more about you (but they probably already indexed your Twitter account anyway so no loss there!)

Link Exchange Spammers Are Back Again!

Well, the link spammers never really went away did they? Has anyone noticed a huge increase in the number of “link exchange” emails or is it that I’ve been added to a particularly busy spammer’s list? I just noticed that a few recent ones contained the text “emailsnomore(dot)com” so I’m going to add a gmail filter to delete any emails containing that domain. You probably should too.

Hi,

My name is Daisy Gibson, Web Marketing Consultant. Ive greatly enjoyed looking through your site ocaoimh.ie and I was wondering if you’d be interested in exchanging links with my website, which has a related subject. I can offer you a home page link back from my related websites all in google cache and backlinks which are:

shawntierney(dot)com PR4
collectiveunconsciousltd(dot)com PR3

If you are interested, please send me the following details of your site:

TITLE:
URL:

I’ll add your link as soon as possible, in the next 24 hours. As soon as it’s ready, I’ll send you a confirmation email along with the information (TITLE and URL) regarding my site to be placed at yours.

I hope you have a nice day and thank you for your time.

Kindest regards,

PLEASE NOTE THAT THIS IS NOT A SPAM OR AUTOMATED EMAIL, IT’S ONLY A REQUEST FOR A LINK EXCHANGE. YOUR EMAIL ADDRESS HAS NOT BEEN ADDED TO ANY LISTS, AND YOU WILL NOT BE CONTACTED AGAIN. IF YOU’D LIKE TO MAKE SURE WE DON’T CONTACT YOU AGAIN, PLEASE FILL IN THE FOLLOWING FORM: emailsnomore(dot)com ; PLEASE ACCEPT OUR APOLOGIES FOR CONTACTING YOU.

gmail: no third-party DSNs

Be careful if you forward email to a gmail account. Gmail doesn’t like receiving mail delivery status notices or reports. This server filled up overnight with tens of thousands of email reports bouncing back and forth between it and gmail. If you emailed me in the last 24 hours and I haven’t replied, I may not have received it (yet).

postfix/cleanup[12107]: 9FE58326C1: reject: header Content-Type: multipart/report; report-type=delivery-status;??boundary=”A507733AD3.1188834275/mail.ocaoimh.ie” from local; from=<donncha_@_ocaoimh.ie> to=<xxxx@gmail.com>: no third-party DSNs

I really haven’t had any luck with email recently …

How I fixed everything

  • First of all I disabled the forward to my gmail accounts by moving .procmailrc out of the way.
  • Then I deleted a lot of log files to make more breathing space for everything and watched the mail spool into my mail file.
  • That was taking too long so I shutdown Postfix and went into /var/spool/postfix/ and into the active, incoming and maildrop folders where I moved every file with the string “Undelivered Mail Returned to Sender” out of the way:

    for i in `grep "Undelivered Mail Returned to Sender" * -rl`; do mv $i /tmp/xxx/ -vi; done

  • After restoring the .procmailrc, I restarted Postfix and lots of legitimate email started flowing again!
  • I added the following recipe to my .procmailrc which I hope will stop bounced messages getting to Google:

    :0:
    * ^Subject: Undelivered Mail Returned to Sender
    POSTMASTER.txt

What caused the problem in the first place? A bounced email from Yahoo. Someone left a comment with a fake email address, subscribed to the post and when another comment was left on that post the subscription email bounced. It’s worked before fine so I’m not sure why Google are complaining now! Over 2GB of bounced mail. My poor server.

Update! It happened again but I stopped Postfix at 9.5MB free on the filesystem and this time I found out what went wrong. I implemented these Postfix rules Justin blogged about without running Spamassassin. Well, I used to run SA but then when I started using Gmail I stopped, which is probably why I didn’t see this earlier. Not Justin’s fault, my own for playing with fire!

Why not let Google filter your spam?

I’ve been running Spamassassin and Postgrey on my mail server for the past few months. It was only since the server was upgraded that I had enough juice to run the very intensive SA processes (even using spamd), but still on occasion the server would grind to a stop when a particularly nasty Rumpelstiltskin attack was underway.

So, last week I met Mark for a coffee and he showed me his Nokia N90 (or N80, I can’t remember) and the gmail app that was installed on it. He collects his gmail email on his phone, after it’s filtered for spam, and what with the cost of GPRS data, that’s quite a saving. I don’t intend reading my email on my phone (I hate my W810i anyway), but he did give me the idea of sending my email through Google and then popping it off into Thunderbird!

googlespam.gif

Now, I have a simple .forward to send on my email. I was able to shut down Postgrey and Spamassassin and email is delivered quickly and with few false positives or spams getting through. When I think of it, I can use the web interface to check what’s due to come down the line. You also get the added bonus of encrypted pop3 data, useful when you’re at a conference or simply on public wifi.

I’m sure everyone else has been doing this for ages and ages but hopefully this will inspire at least one person to follow suit and rid themselves of spam once and for all!

Introducing Ms. Dewey

Ms. Dewey is the attractive front end of Microsoft Search. She’s entertaining and comments on search items and does her own thing if you leave her alone for a minute or two! Search for President Bush or even gmail for some great stuff! If the search for Yo Mama doesn’t make you smile and laugh I don’t know what will!

That was fun for about five minutes but she’s definitely the most attractive search mascot/helper I’ve seen online and good linkbait to get people to try their search technology! (via the Natural Search Blog)

msdewey.jpg