Anatomy of a Mail Tracker

In my last post, I talked about a mail tracking service which uses essentially the same technique that an anti-phishing service would use.  You embed a hosted object on a server and when the message is opened, the object will render.  When the object is rendered some function on the other side is looking for that callback. 

The setup --

We need a single white pixel hosted on a webserver with a valid SSL certificate.  With Let’s Encrypt, we can add a free SSL certificate to any server.  You could try it without the SSL certificate but I think the call out to HTTP would cause a problem.  I haven’t gone through the steps of testing this without HTTP, it was more of an exercise of how quickly as easily this could be to setup something functional.

With the pixel hosted on the server, and an email sent with the embedded pixel, all that would remain would be a script to parse the logs.

while :
if grep "pixel.png" /var/log/apache2/ssl_access.log
    cat /var/log/apache2/ssl_access.log | grep "pixel.png" | cut -d" " -f1,4 | uniq >> /some_directory/spamcat/spamcat.out && sort -u -o /some_directory/spamcat/spamcat.out /some_directory/spamcat/spamcat.out && mail -s "we got a hit" < /some_directory/spamcat/spamcat.out
sleep 60

This is dirty but functional.  Let me break it down --

The if grep statement is searching the logs to see if we have a hit.  If we do, the cat is searching the log for the hit to parse just the IP address.  If there are multiple hits with the same IP address, the | uniq will reduce that to a single entry.  We are then redirecting is to an output file.  In case the output file already exists and we've already documented a previous entry, we will again reduce that to one entry per IP address.  Now we’re going to email that as the body of a message to our email address.  And finally, as long as the script continues to run, we’re going to perform this task every 60 seconds.