How to Prevent Emails From Tracking You in Apple Mail

[MacRumorUser78]

Mind sharing how you're achieving this? I've been looking for a simple solution for this for a while.

Simple solution? Mine is not, but for more than a decade I've had a site with 1and1 which allows many email addresses (no doubt others do too). Assume my domain is mywebsite.com, I created a subdomain web.mywebsite.com. Any email to web.mywebsite.com comes to my mailbox. so macrumors@web.mywebsite.com is collected. My normal email comes to <whatever>@mywebsite.com. The 'web' is arbitrary, it's what choose since it represented signing up for things on the web. Some people get excited when I tell them to email me at DrSmith@web.mywebsite.com. DrSmith (not his real name) said that it was impossible for that to be my email address. I have a macro that types web.mywebsite.com to simplify.

BTW, I don't think that this is a good solution to the problem anymore (I think it ceased to be shortly after I implemented it). You can use something like SpamSieve to filter emails from sites you don't want. So I've lately just been using signin@mywebsite.com as my email for signing up on websites. But SpamSieve only works on a computer, so if you check email on your phone it may not work unless your computer is on and downloading email. Which probably works fine except from time to time I travel for more than a month and then leave my computers shut down.

I've found lately that most sites respect take me off your mailing list requests. Occasionally I get emails from old addresses where the site has been hacked or maybe bought from an unscrupulous site manager.

I still get Nigerian style spam.

 

[justperry]

Or just get a pi-hole and get your entire network covered. Then get another Pi and host a VPN on it and remote in to your own protected network from whatever other internet access points you use.

Or JUST, Hahaha.
Guess what, not a lot off people know about these solutions, hell, most people don't even understand Pi-hole/VPN/Tracking/Privacy/inetrnet....

 

[matrix42]

The aforementioned plug-ins don't seem to be installable as there isn't an option to manage plug-ins in Apple Mail anymore.

I don't want to block images in Apple Mail - so this is already a hassle as it will disable some features in emails I want to keep visible/usable. I am still using Little Snitch to do the heavy lifting in this department, it seems to work fine, and I'm used to the pop-ups.

Go to Mail Settings , General Tab right at the bottom "Manage Plugins".

 

[MacBH928]

The problem is most emails now days are image filled and disabling the load will break the email's format. I wish there would be a standard like no images or only images attached to the email, so companies can say we send emails according to the "X" standard.

I enabled this last year when an Audi dealership insisted that they replied to me but really hadn't. The sales rep sent a screenshot of every interaction I had with their messages and it creeped me out.

This is also how marketing firms track their reach, so even more reason to enable this.

I don't understand, if they did not reply to you how did they screen shot your interactions?

 

[MacBH928]

WTF? Tracking images are creepy, but let's not pretend they're magical, because they're not. You get an email. It's full of HTML, because nobody does plain text email any more (sigh). Because it's HTML, it can specify images to load. One of them is an image on the sender's server (eh, probably all of them are images on the sender's server - that's how the web works). The act of requesting that image from the remote server leaves a log entry in the remote server (which is how the web has always worked). If they gave the pixel image a name that's unique to you (not your name, just a random number they've associated with you), then they can infer, because that image was requested from the server, that you requested it (by opening the email), and they know when, because the server logs when it fulfills requests, and by looking the requesting IP address up in a geolocation database, they can get an approximate location. But you make it sound like the pixel image itself is actively transmitting information - it's not - there's no "code within the pixel", it's just an image.

Will they store an image for every user for every email? that sounds absurd

Or just get a pi-hole and get your entire network covered. Then get another Pi and host a VPN on it and remote in to your own protected network from whatever other internet access points you use.

This is the problem. Most people do not understand what is going on and this is how evil corporates get away with it. Most people deal with the internet like they deal with the TV, press the red button and it turns on. How it works they got no idea.

The other problem is that sometimes you can not use a PiHole to block tracking because blocking a specific tracker can block the whole service, for example if you block "x.youtube.com" might stop the whole youtube website from operating.

 

[Rigby]

Will they store an image for every user for every email? that sounds absurd

Of course not. But they generate unique URLs for each email, which all resolve to the same image on the server.

For 95% of emails I receive I have no problem reading them with all remote images blocked. For the rest, if I absolutely have to see the image, I can selectively load individual domains in my email client (Thunderbird).

 

[posguy99]

Goodness, it's open-source. The beautiful thing about that is that if you don’t trust it outright, dig in and look at the source yourself to see when and where it makes uploads. It does what it says on the tin and doesn’t phone home.

FOSS-lovers really need to stop with that sort of nonsense. Not one in one hundred of those who think they should be using FOSS would be competent to even understand what "source" meant, let alone make intelligent decisions about what a particular source file might be doing, or not doing.

 

[posguy99]

How is Homebrew support for M1 Macs? Or, perhaps a better question, any ideas on how many Homebrew apps have been updated to native ASi support vs. having to run through Rosetta?

Amazingly, Homebrew knows the answer to both these questions. Why, I bet they have a web page and everything.

 

[jonblatho]

FOSS-lovers really need to stop with that sort of nonsense. Not one in one hundred of those who think they should be using FOSS would be competent to even understand what "source" meant, let alone make intelligent decisions about what a particular source file might be doing, or not doing.

I'm not a FOSS stan by any stretch, but if you’d like me to summarize the reasons why it’s asinine to believe that this project would try to sneak in the baselessly alleged kind of functionality (that a third party is “monitoring” your emails), I certainly can.

1. The source code is visible to everyone, including those who are competent to analyze it for improper behavior. As someone who’s competent to analyze the source files, I can confirm — as I said — that it does exactly what it says it will do — nothing more, nothing less. “Exactly what it says it will do” is blocking images from a list of known trackers or preemptively blocking images that are likely to be trackers based on being 0/1px wide/tall.
2. Following that line, if someone who is able to analyze the source files does discover surreptitious improper behavior, what are the odds that they just sit quietly instead of loudly advising others not to install the software? I can tell you I’d immediately do my best to get the word out if I saw anything suspect. It’s tough to keep a secret when there’s nowhere to hide them.
3. You say “not one in one hundred” is able to analyze the source files. While that is probably true of the general population, this software recommends installing through Homebrew, a command-line tool most prominently used by developers. Homebrew’s statistics suggest that this software has been installed just short of 3,000 times. What are the odds that there have been a few thousand installs through Homebrew and no one caught anything suspicious by now?
4. Even users who are not competent to analyze the source files directly would be able to see that Mail is uploading received messages just by looking at Activity Monitor. Any users who happen to have Little Snitch would also see a suspect connection out of Mail while it hypothetically uploads received messages to a third-party server. I don’t know about you, but I receive way more messages than I send, so if I saw that that balance was thrown off after I installed this utility, I’d certainly have had some concerns.
5. It’s not a revenue-generating project. Setting up servers with the networking and storage capacity to receive and analyze at least tens to hundreds of thousands of emails — with a theoretical upward bound in the range of hundreds of millions to billions — per day for some surreptitious data harvesting operation is certainly not a trivial expense for a project that receives no money.
6. The project positions itself as humane with an explicit anti-tracking stance. Does it make any sense for a piece of open-source software that speaks strongly about tracking to proceed to do its own tracking?
7. The project has several contributors. The likelihood is very slim that all contributors on a project as opinionated as this one would just quietly sign on to this kind of surreptitious behavior if it’s not already there.

Healthy skepticism is fine, but accusations that this project has any unscrupulous component range from poorly thought-out to complete nonsense.

 

[1262385]

Amazingly, Homebrew knows the answer to both these questions. Why, I bet they have a web page and everything.

Amazingly, the Homebrew blog and all the articles talking about M1 support I saw say something along the lines that package support is incomplete. I’m a very recreational Homebrew user, and was wondering if someone had a more in-depth perspective of the degree of native coverage.

 

[trigf]

The problem is most emails now days are image filled and disabling the load will break the email's format. I wish there would be a standard like no images or only images attached to the email, so companies can say we send emails according to the "X" standard.




I don't understand, if they did not reply to you how did they screen shot your interactions?

Not that it's relevant to the conversation, but I was working with a different sales rep and I brought up the fact that they had not responded to a prior email I sent them around October of last year. He then sent me a screenshot of their system that showed all the interactions I had with their mail messages.

 

[posguy99]

The problem is most emails now days are image filled and disabling the load will break the email's format. I wish there would be a standard like no images or only images attached to the email, so companies can say we send emails according to the "X" standard.

I stopped caring what HTMLdiots thought things should look like ages ago. If their "code" doesn't degrade gracefully, then they're incompetent. If they don't include a plain-text part, then they're doubly incompetent.

 

[CarlJ]

Will they store an image for every user for every email? that sounds absurd

Ages late, to be sure, but... no, they don't store a separate image for every user, they have a single image file, say, pixel.png. If you look at your profile page here on MacRumors, you'll note you're referred to as "macbh928.186543". Your username (converted to lowercase), and an index number that they've already associated with you. MacRumors could easily have their webserver include ".../pixel.186543.png" in emails to you, and ".../pixel.29900.png" in emails to me (etc.), and set the webserver so that when it receives requests for "pixel.<anynumber>.png", it should send back pixel.png, but, then, it has recorded in its logfiles (webservers normally write a logfile entry for every request processed) that the user with id# 186543 requested the image from X ip address at Y time. Further, they could add an additional index that is associated per-email - so when they emailed you about topic "foo", it contained "pixel.37.186543.png", and for topic "bar" it was "pixel.38.186543.png". Now they can tell which email you read (and from roughly where, and at what time).

 

[MacBH928]

Ages late, to be sure, but... no, they don't store a separate image for every user, they have a single image file, say, pixel.png. If you look at your profile page here on MacRumors, you'll note you're referred to as "macbh928.186543". Your username (converted to lowercase), and an index number that they've already associated with you. MacRumors could easily have their webserver include ".../pixel.186543.png" in emails to you, and ".../pixel.29900.png" in emails to me (etc.), and set the webserver so that when it receives requests for "pixel.<anynumber>.png", it should send back pixel.png, but, then, it has recorded in its logfiles (webservers normally write a logfile entry for every request processed) that the user with id# 186543 requested the image from X ip address at Y time. Further, they could add an additional index that is associated per-email - so when they emailed you about topic "foo", it contained "pixel.37.186543.png", and for topic "bar" it was "pixel.38.186543.png". Now they can tell which email you read (and from roughly where, and at what time).

hmmm... I didn't know this was a thing when in html you can have a specific string request a different a file. I think pixel.png will always request pixel.png and thats it.

This tracking thing is getting seriously creepy

 

[CarlJ]

hmmm... I didn't know this was a thing when in html you can have a specific string request a different a file. I think pixel.png will always request pixel.png and thats it.

This tracking thing is getting seriously creepy

In html, you ask for a file by name, and you get back... whatever the server feels like sending in response to that request. Just the same way that a server can respond to a request for any page by sending back a login page, if you're not logged in, a server can also send back different files for the same request by different people - think for instance of a server that deals primarily in images, that sends back a named image, but can instead send back (using that same name/request), a generic "user has exceeded their quota" image.

In this case, it's many image requests (for image.<idnumber>.png) all getting served the same image (because the author of the email doesn't really care about the image, which is a 1-by-1 pixel transparent png anyway, what they care about is getting your device's request for the image name that has your id number encoded into it). Webservers are not some natural immutable thing that is mined out of the earth and used only in that form - they're just another program, something that knows how to speak the proper protocols (http, mostly)... they get a request, and they send something back. Convention is that they send back the contents of a file that has the name that you specified, but that is only convention - it's entirely possible to put code in a webserver that, for instance, responds to a request for a specific image name by running code that generates that image on the fly: you could ask for forecast.png, and to you it looks like a file that is sitting on the webserver's disk, but the server could actually be running a script to generate the current image on the fly.

Imagine for a moment a webserver where, when you request image "face.png", it looks at your IP address and if the last digit is even, it sends back the contents of (its local file) "happyface.png", while if it's odd, it sends back the contents of "sadface.png". So roughly half of the users see a smile and half see a frown.

In this case, though, it's the program generating the email that puts an <img> request into the email that will request a file from their webserver, where the filename includes an id number of some sort that the company can relate back to you, and possibly to the specific email. Then it's simple enough for software running on the webserver to watch the logs and see that "customer A requested image B which was included in email C, and they requested it at time D, from IP address E". They can use information for good, or nefarious, purposes.

 

[MacBH928]

In html, you ask for a file by name, and you get back... whatever the server feels like sending in response to that request. Just the same way that a server can respond to a request for any page by sending back a login page, if you're not logged in, a server can also send back different files for the same request by different people - think for instance of a server that deals primarily in images, that sends back a named image, but can instead send back (using that same name/request), a generic "user has exceeded their quota" image.

In this case, it's many image requests (for image.<idnumber>.png) all getting served the same image (because the author of the email doesn't really care about the image, which is a 1-by-1 pixel transparent png anyway, what they care about is getting your device's request for the image name that has your id number encoded into it). Webservers are not some natural immutable thing that is mined out of the earth and used only in that form - they're just another program, something that knows how to speak the proper protocols (http, mostly)... they get a request, and they send something back. Convention is that they send back the contents of a file that has the name that you specified, but that is only convention - it's entirely possible to put code in a webserver that, for instance, responds to a request for a specific image name by running code that generates that image on the fly: you could ask for forecast.png, and to you it looks like a file that is sitting on the webserver's disk, but the server could actually be running a script to generate the current image on the fly.

Imagine for a moment a webserver where, when you request image "face.png", it looks at your IP address and if the last digit is even, it sends back the contents of (its local file) "happyface.png", while if it's odd, it sends back the contents of "sadface.png". So roughly half of the users see a smile and half see a frown.

In this case, though, it's the program generating the email that puts an <img> request into the email that will request a file from their webserver, where the filename includes an id number of some sort that the company can relate back to you, and possibly to the specific email. Then it's simple enough for software running on the webserver to watch the logs and see that "customer A requested image B which was included in email C, and they requested it at time D, from IP address E". They can use information for good, or nefarious, purposes.

So they can make the server do "If file (any number)-pixel.png then serve (pixel.png) ". Hmm...I guess that is logical. I just assumed that servers had a number of files and serves those files back at request...they can track me by logging time stamps and IP stamps.... I just didn't know it can ID the request specifically and server something different for each different ID.

thanks that was informative, and raises paranoia!