HOME

An Email Link Experiment

Click Here to Remove?

Is it safe to click links in email?

'Work Offline' - Another Spam Fighting Trick

Does Your Email End up in the Spam (Junk) Box (Folder)?

DC Tech

Email Editorials

Is it safe to click links in your email?

People click on email links all the time without ever asking the question "is this safe". I will address two issues:
  1. How much do I reveal by clicking on this?
  2. Am I sure this is a web link?
  3. What alternative is there?

ISSUE #1: How much do I reveal by clicking on this?

The answer to the question varies a lot with your browser, mail reader, security settings, etc. So the quick answer is to look below. Here I show you basic information which is easily accessible and that would be of interest to a web site, especially one that is trying to attact clicks with spam.
"Referer" information you gave
To the BrowserTo the Server

In fact, any significant web site is going to be at least analysing the "server" information. This is information you give the web site to get the page, they don't have to do anything to get it. The "browser" information is usually (but not in all cases) identical. This is not automatically sent to the server, but anything appearing in your browser can easily be sent back to the server.

So if you are not looking at this by following an email link, go ahead and send a link to this page to yourself (for example, use the menu File>Send in Internet Explorer), and click on it to see what shows up. Then read below.

"Referer" is the address that sent you to this web page. Here are some examples from old web logs:

  1. http://lw2fd.hotmail.msn.com/cgi-bin/getmsg? disk=216.32.180.74_d349&login=nooe**** &f=33808 &_r=1090004673 &curmbox=ACTIVE &_lang= &beta= &msg=MSG932662710.11 &start=390350 &len=3214
    HotMail doesn't give up this much information anymore, but this illustrates something to be aware of if you use web mail. Whatever shows up as the page you are on when you read your mail gets sent to any website you click to visit. HotMail used to reveal the login name. I replaced part of the name with **** to protect the email address which you could easily figure out from this referer information: nooe****@hotmail.com
  2. bookmarks
    In this case all I can tell is that somebody visited the page previously, bookmarked it, then came back using their bookmark.
  3. C:\WIN95\DESKTOP\newton.htm
    In this case the person was making their own web page on the desktop, likely as a convenient set of bookmarks.
  4. mailbox:/C|/Program Files/Netscape/Users/clem****/mail/Inbox ?id=0FGQ00GALCRBGH%40 mailgate.nau.edu &number=1604457
    1) warned you of a hazard to watch for in case you use web mail, here is one to watch if you have a mail reader that stores the mail locally on your system. Again I protected the actual user email address which can be worked out from the referer information: clem****@nau.edu

"Referer" is a way you might give up information to any website when you click on email links. In the case of spam, you could be giving up more information in other ways. Any "good" spammer tracks results, and will likely employ more than one method. For example, do you send "Read Receipts". (Do you even know what they are, or how to turn them off in your email?) How about those pictures in your email? Are they sent with it, or do they load off a remote website?

Lets take the last case. Suppose you look at some spam and the pictures load off their website. This means their server logs now contain:
* your address (something like computer1234.universityofsomewhere.edu or a numeric id like 123.45.67.890 which can be tracked down)
* the time you loaded the image
* the name of the image
* what program you were using (e.g. your HotMail account, OutLook Express, Netscape Mail, Eudora, etc.)

By itself that doesn't sound too damaging, its no more than you give out just by surfing the web. If they really want to track you they'll custom the image. You might get image.jpg?id=123 and the next email address on their list might get image.jpg?id=124 etc. The server just sends image.jpg in either case, but the logged information now contains an identifier. In that case, their server logs now enable them to identify when the image was loaded with your specific email address.

Now suppose you click on a link to get to the spammer's site. Now what information do they have?
* your address (something like computer1234.universityofsomewhere.edu or a numeric id like 123.45.67.890 which can be tracked down)
* the time you loaded the web page
* what browser are using (e.g. Internet Explorer, Netscape, Opera, etc.)
* like the image in email, the link you click might be customized to the message your received for tracking purposes - such as http://www.somespammer.com/?id=1234
* even a more innocent looking address still might be a tracking address. "Hi, I'm Kelly and I'm in front of my web cam.... click on www.somesexspamsite.com/Kelly". Ok, how many girls names are there, and how many permutations of this are there that can look just as innocent? www.somesexspamsite.com/kelly, www.somesexspamsite.com/KELLY, www.somesexspamsite.com/webcam/Kelly etc. All of these could take you to the very same page, but all can be automatically sent to different email addresses. There is no way of looking at the address and being sure that it won't be used to identify you.

Now put it all together. If you go to their website after reading their spam they can use computer1234.universityofsomewhere.edu to figure out that this visit came from a person who read their spam. Furthermore, they might be tracking enough to know which email address responded. Hence, the value of your email address, or perhaps only the list you were on, just went up for this type of spam. In essence, you voted to receive more.

ISSUE #2: Do I know this is a link?

Would you spot this trick in your email? 
   Subject: new photos from my party!
   Hello!

   My party... It was absolutely amazing!
   I have attached my web page with new photos!
   If you can please make color prints of my photos. Thanks!

   Attachment: www.myparty.yahoo.com
This was a big virus back in 2002. The trick was to name the virus being sent "www.myparty.yahoo.com". This meant that many people clicked to run the virus, believing that they were following a link to a web page.

With the multitude of email programs out there and the ever changing formats they use to display messages there is no simple advice to give to let you know how to avoid a trick like this. Any advice given might be wrong in a month. The key is that if you are going to click on things in your email it is up to you to know your program well enough that you would be able to say to yourself "that's not a web link, that's and attachment" - or whatever.

ISSUE #3: What alternative is there?

If you really do want to see this web page I suggest copying the address directly into the "Location" bar of your browser. HIghlight it with the mouse and Edit>Copy or press Ctrl-c. Next click in the location bar, delete anything that is already there, and Edit>Paste or Ctrl-v.

This at least eliminates ISSUE #2, and gets rid of any "referrer" problems from #1. You do still have the other potential tracking issues discussed in #1 if this was spam.