Conversation

Our list of spy pixel patterns for HEY is growing! Thanks to all the whistleblowers who wrote in about their own companies, and to everyone else who reported a pattern. Going to share this is a more structured form, but here's our work as-is for anyone.

gist.github.com

Current list of spy pixels named'n'shamed in HEY, as of April 23, 2020

Current list of spy pixels named'n'shamed in HEY, as of April 23, 2020 - tracker_blocking.rb

6:24 PM · Apr 23, 2020

Replying to

Would love to see broad collaboration amongst all email clients to block spy pixels across the board. The tracking industry is using all sorts of sleazy tricks, like hiding trackers in fonts and css backgrounds and whatnot, but working together, we can clean this filth.

DHH

@dhh

Apr 23, 2020

hey.com offers protection in depth as well. We block'n'name'n'shame from the known patterns. We strip all unknown tracker-looking pixels. We search for trackers in the body, css, and wherever else. AND we proxy ALL IMAGES to protect your IP info from ever leaking.

hey.com

HEY

Email at its best, new from 37signals.

Replying to

I use Canary Mail, and it allows for a pixel to be sent in order to check that a message has been read. I don't know the specific url it uses though.

Replying to

Please send me an email to david@hey.com with the tracker in it! I'll find it and add it to the block list ✌️❤️

Show replies

Replying to

Doesn't this create a cat-and-mouse game where email providers just start buying up cheap expired domain names to serve the pixels from? Or even proxying them through the customer's domain?

Replying to

If email providers want to double down on the malware angle, hey, that's up to them. They'll be showing their true colors, and we'll be here to do the work to counter them. No different than malware/antivirus work, really.

Show replies

Replying to

Do you think there are any legitimate use of tracking pixels? I can think of several B2B cases where it is in the customers interest for the vendor to know if they have opened the email. No?

Replying to

No. If you want to know, you can ask. And those who are interested in sharing can share. But silently and secretly stealing this data when someone opens an email? No.

Show replies

Replying to

Really interesting. Anyone who has used

@mailchimp

@constantcontact

knows it's tracking lots of behaviors before the recipient can grant permission. I don't see Wix mail on this list. Wondering if that means they're not using spy pixels or if it just hasn't been reviewed yet.

Replying to

and

Haven’t looked at Wix yet. If you have an email from them, please forward to david@hey.com and I’ll put it under forensics 😄

Show replies