be Smart.
be Secure.
Phone: 800-441-6612

Protecting Yourself from Email “Web Bugs”

Web Bugs are images in HTML-formatted email messages that, when viewed, tell the sender of the message that you read the message.  This mechanism of obtaining an essentially covert confirmation that (a) your email address is valid, (b) the email got past your filters, and (c) you actually read the message, is pervasively used by Spammers to identify what addresses are reading their messages.

Why do spammers use Web Bugs?

Spammers send out to hundreds of thousands or millions of different email addresses in the hope that some small percentage of the recipients are “taken in” by whatever scheme they are using.  Using Web Bugs, Spammers can prune their lists down to the small fraction of people reading their email and target those people with many more spam messages of different kinds.  I.e. if you read a Spam message and are identified as a “good recipient” by a Web Bug, then your email address just became a spam magnet!  This is bad for you but good for the Spammers — as a larger percentage of messages that they send make it to viable recipients.

How to Tell if Someone Read Your Email Message?

In general, there are very few ways to know if someone has read an email message that you sent to them.  The possibilities include:

  • Read Receipts: You add a “read receipt request”.  If the recipient is using an email client that supports read receipts and the recipient decides to allow the receipt to be sent when the message is opened, then you get an emailed notification back when the recipient has read the message.  Use of read receipts is very unreliable; while most email clients support them, most people have them turned off or they routinely decline to have the receipts sent back to the sender (I know I do!)
  • Message Pickup: In systems where you have to go to a web site to access your message content, like with SecureLine Escrow, the sender always knows if and when you have picked up the message.
  • Download Tracking: If the email message contains a link to some object (such as an image or file) on a web server somewhere and you download that object, then a record is made of that download in the web server’s logs. If that link contains information identifying you and the message, then the sender can look at the logs and determine:
    • That you read the message
    • When you read the message
    • The IP address of the computer you used when reading the message
    • Possibly more things

How Do Web Bugs Work?

Web Bugs use the Download Tracking mechanism.  The email sent contains HTML-formatted content.  When you view the HTML, images are downloaded from external web servers as part of the message content.  One or more of these images will contain tracking information identifying to whom the message was sent and which message was sent.

The tracking image(s) are typically small or inconspicuous.  It could be a 1×1 pixel transparent image, or anything else.

In order to be effective, Web Bugs require:

  • You to read the message
  • Your email program to be displaying HTML-formatted message parts
  • Your email program to be downloading and displaying any images in such message parts.

Many email programs, like Outlook, do all of this automatically.  Some programs, like Mozilla Thunderbird, now-a-days ask you before downloading and displaying images in messages to help protect you against these bugs.

How to Protect Yourself Against Web Bugs

There are many things you can do to protect yourself from Web Bugs.  By “protect yourself,” I mean that you should be able to read messages without Spammers knowing that you are doing so — and it should not be difficult!

  1. Filtering: The best way to protect yourself is to use server-side email filtering that auto-detects and auto-removes any Web Bugs in email messages, while leaving the rest of the images in the messages intact.  LuxSci’s Premium Email Filtering can do this (though you have to enable this setting in your filtering policies as it is not on by default).
  2. A Good Email Program: Use a good email program, like Mozilla Thunderbird, which will hide images in messages until you ask for them or “allow list” the sender.  Using a “old style” plain-text-only email program will also work!
  3. A Good WebMail Program: Using a good WebMail program, like LuxSci’s WebMail, can help too. LuxSci’s WebMail allows:
    1. Previewing the message content in plain text before opening the message (no chance of triggering a WebBug or any other email threat when previewing a message in plain text)
    2. Display of the HTML content of messages if off by default and can be toggled on and off as needed (with a hot key or menu option).  You can thus view the entire message content and attachments without needing to display the HTML and expose yourself to WebBugs or other HTML-based threats.
    3. Display of images in HTML is off by default and can be toggled on and off as needed (with a hot key or menu option). I.e. you can view the full HTML and merely have all of the images blanked out — no chance of triggering a WebBug in this case either.

If you are caught by WebBugs and get on the “spam me” lists, you may find yourself the target of increasing amounts of spam — even spam appearing to come from yourself or backscatter spam where your address was used to send spam to others.  If this is the case, you will either need to get some really good filtering, or change your email address.

One Response to “Protecting Yourself from Email “Web Bugs””

  1. Has Your Email Been Read? Read Receipts and Web Bugs | LuxSci FYI Says:

    […] the message; however, read receipts are not reliable.  Spammers use techniques such as HTML “web bug” tracking to see if you have read an email message and thus if your email address is valid […]

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries