2/8/2026 at 7:29:36 PM
I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.
by smelendez
2/8/2026 at 8:10:04 PM
I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.
I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.
I resigned shortly afterwards.
by mzi
2/9/2026 at 12:41:36 AM
Did everyone get flagged then thanks to Barracuda? You’d think they’d realize there’s a problem if there’s a 100% fail rate.Edit: also, to be fair, you basically told them you had opted out of the test, so it’s not completely ridiculous for them to ask you to do the training instead.
by smelendez
2/9/2026 at 11:59:27 AM
to be fair someone started using computers and has x worthelss security certificates but yes he will teach me how to use computer/Internet...okidoki... I just move to trash all their tests as it's just spam.by fx1994
2/9/2026 at 9:14:33 PM
The test is whether you can successfully identify phishing attempts bu approximating what they look like in the wild. Bypassing the test entirely means there's no data on whether you're susceptible to this, and just because someone knows there's a header and how to bypass something doesn't mean they aren't also the kind of person to be distracted and click on stuff they shouldn't.This method of test passing wasn't okay when Volkswagen did it, and it's not appropriate for employees at a company that asks them to take the test, for the exact same reason.
by kbenson
2/9/2026 at 2:23:03 AM
There’d be a bigger problem for the security training folks if there was a 100% pass rate.by hedora
2/9/2026 at 10:22:14 AM
Hmm, mixed feelings.Sure you are being clever, but (and I don't know the state of art science wrt effectivity of these fake phishing emails), you are defying a measure that was taken by management to try to make the company safer. Sure it may feel, and even be, a waste of time. But you are also putting yourself above the rules in a way. Your assumption is that these programs will actually NOT make the company safer, with 100% certainty. Because even of it makes the company 1% safer, it is management's responsibility to go ahead with these measures or not.
I don't know what to think of how you acted, as much as I hate most mandatory course, at least some if my knowledge comes from them. Obviously the company pays you normally while you take the course. And somewhere I feel that "work is work".
Of course, in this case, you have shown the system to be erroneous, while showing yourself to feel superior. Difficult... As manager I'd like you to seek a conversation with me.
Edit: Of course, you are 100% free to leave this company, are you 100% free to cheat on cyber security measures? I don't think I agree with you there.
As said, mixed feelings.
by teekert
2/9/2026 at 1:51:29 PM
> you are defying a measure that was taken by management to try to make the company safer.> are you 100% free to cheat on cyber security measures?
Why do you think that implementing an email filter like that is "defying a measure" or "cheating"? What value do you think there would be in individually, manually, reviewing each such email, if you've already identified the pattern they all follow and their purpose? You're essentially arguing for wilful inefficiency, which is "cheating" the organization out of useful labor.
The other reply to you may have been less than perfectly polite, but they certainly had a point.
by antonvs
2/10/2026 at 1:17:53 AM
Are you being willfully obtuse? Suppose that management wanted to see if you could visually identify faulty parts on an assembly line - wrong finish, dirty, etc - , and that all deliberately faulty test parts had a red sticker on the bottom. If you just flipped every part over until you found red stickers would you be equally annoying refusing to identify why what you did you as wrong and stupid? The goal wasn't reading email headers.by idiotsecant
2/9/2026 at 3:02:39 PM
Come on, certainly the "spirit" of the "training" is to learn to disseminate phishing emails from real ones using subtle ques. Not to learn how to write an email filter.Nowhere am I saying that I agree with the chosen methods, especially not the part that sounds like punishment. But there are better ways to deal with the disagreement than suggested here.
by teekert
2/9/2026 at 11:07:39 AM
This could go straight on r/LinkedInLunatics, the PMC is insaneby lyu07282
2/9/2026 at 11:58:09 AM
Hmm, never been there, but it never feels good to be lumped in with some group (especially when they have lunatics in the name) instead of receiving feedback that may point at errors in judgement.I'm generally considered knowledgeable and I'm just thinking from the perspective of owning a company and employees taking these actions instead of coming to talk to me, showing evidence of my poor management decisions.
This whole text reeks of a employee vs employer situation, which is never good (you're in it together), so probably it is good that the person left the company, for both parties.
Perhaps I'm naive, or not American enough, US work culture seems harsh to me sometimes, especially wrt work ethic and hierarchy.
I'm off now to find what PMC is, thank you.
Edit: Looked around for sometime, no idea still what PMC is.
by teekert
2/9/2026 at 12:09:08 PM
Professional-Managerial Class, as opposed to working class or proletariat.by 201984
2/9/2026 at 12:24:34 PM
Thanx, I don't consider myself PMC, but, I guess that's the internet of today, slap a label onto anyone and anything based on ~160 chars.I guess lyu07282 is what I have taken to calling a "Judger". Always labeling, always judging, always seeking the moral high-ground, never realizing the lack of nuance that must exist in short texts. Never thinking "what if this was meant in a kind way." Oh, and I see the irony, it is intentional (feels bad right?).
I think it's what tearing the US apart at this very moment. Always Us against Them. Most people are kind you know. I really thought I did my best to add nuance.
by teekert
2/10/2026 at 8:11:25 AM
Btw, LinkedInLunatics is pretty funny at times, thanx for the tip (although I admit I don't get some of them really, so perhaps I am naive)!by teekert
2/9/2026 at 1:35:15 AM
Those knowb4me or whatever supposed security lessons are terrible. In our case the emails included links to external domains (to knowb4) that you were actually required to click, as in really not as a test to see who did it. And you presume to teach me Fing security...by Brian_K_White
2/9/2026 at 11:40:39 PM
Ughhh yeah, KnowBe4. Real crap service with emails so obviously bait that a security worker would try them just to see what happens.The cool thing though is when people post the link on Yammer asking if it's safe, then you can screw them by clicking on it and they have to do the course hehehh
But yeah bad service
by wolvoleo
2/8/2026 at 7:32:29 PM
Some of the big providers already do this, notably Apple and Gmail:by mmh0000
2/9/2026 at 12:44:42 AM
Gmails prefetch is terrible for privacy because it honors http cache headers, which means tracking companies simply use a "no-cache, must-revalidate" header to defeat it.by londons_explore
2/9/2026 at 2:24:05 AM
That sounds like a feature, not a bug, given where Google’s revenue comes from.by hedora
2/9/2026 at 11:13:16 AM
Google's revenue comes from Google's ads, not other people's ads, and they already know when you open your emails. They should block remote loading, to ensure their ad platform works better than other people's.by direwolf20
2/9/2026 at 9:42:36 AM
Which is completely stupid since images in an email should never change.by RobotToaster
2/9/2026 at 1:25:30 PM
Why shouldn't they? There's plenty of scenarios where you might want to swap images after a period of time has elapsed, or to fix a mistake.by iamacyborg
2/9/2026 at 2:49:16 PM
The ability to swap images but not text seems arbitrary.You could imagine a system more like the notification tray on iOS/Android where at any time a notification can appear, be edited, timeout, or be deleted.
Your email inbox could be like that. The email saying "Your parcel has been dispatched" could be edited to say "Your parcel has been delivered".
When you refund something you've bought, the original purchase receipt could be crossed out or hidden. When you get invited to a wedding but then the wedding is cancelled, the original invite could be deleted, etc.
by londons_explore
2/9/2026 at 3:47:41 PM
It's counter to the principle of what e-mail is. It's supposed to be static. Just because you can doesn't mean you should.by afavour
2/9/2026 at 4:02:11 PM
> It's supposed to be static.Says who? It's not in the original RFC as far as I'm aware.
by iamacyborg
2/9/2026 at 6:22:32 PM
I'm pretty sure the original RFC (RFC 821) does not include remote resources and it was written far before HTML or HTTP was invented.It was text delivered over SMTP.
by SahAssar
2/9/2026 at 4:51:59 PM
specifically to prevent this kind of trackingby Tagbert
2/9/2026 at 1:35:28 PM
I know of an invoicing system that updates the image when it's paid. Seems pretty useful to me.And yes, that means that an image with an amount is publicly accessible, so what, there's no information about the invoice in there as that's in the text of the email.
by hvb2
2/9/2026 at 3:25:11 PM
Bet they send a separate mail when you paid though, in which case updating the picture is not much more than a means for them to hide errors.I subscribed to the daily headlines from a newspaper, they delivered them as a remote picture in the mail. Only it was always the same remote picture each day, just updated. So if you didn't open the mail each day too bad: you snooze you loose, those past headlines are gone.
by SiempreViernes
2/9/2026 at 5:58:28 AM
I think the problem is what is an image?I made an attempt to enumerate them[1], and whilst I catch this issue with feImage over a decade ago by simply observing that xlink:href attributes can appear anywhere, Roundcube also misses srcset="" and probably other ways, so if the server "prefetched every image" it knew about using the Roundcube algorithm the one in srcset would still act as a beacon.
I feel like the bigger issue is the W3 (nee Google). The new HTML Sanitizer[2] interface does nothing, but some VP is somewhere patting themselves on the back for this. We don't need an object-oriented way to edit HTML, we need the database of changes we want to make.
What I would like to see is the ability to put a <pre-cache href="url"><![CDATA[...]]></pre-cache> that would allow the document to replace requests for url with the embedded data, support what we can, then just turn off networking for things we can't. If networking is enabled, just ignore the pre-cache tags. No mixing means no XSS. Networking disabled means "failures" in the sanitizer is that the page just doesn't "look" right, instead of a leak.
Until then, the HTML4-era solution was a whitelist (instead of trying to blacklist/block things) is best. That's also easier in a lot of ways, but harder to maintain since gmail, outlook, etc are a moving target in _their_ whitelists...
[1]: https://github.com/geocar/firewall.js
[2]: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
by geocar
2/9/2026 at 6:20:28 AM
Why on earth does the HTML sanitiser allow blacklisting?! That can't ever be safe to use, the set of HTML elements can always change.by TazeTSchnitzel
2/9/2026 at 11:11:47 AM
Note that the API is split into XSS-safe and XSS-unsafe calls. The XSS-safe calls [0] have this noted for each of them (emphasis mine):> Then drop any elements and attributes that are not allowed by the sanitizer configuration, and any that are considered XSS-unsafe (even if allowed by the configuration)
The XSS-unsafe functions are all named "unsafe". Although considering web programmers, maybe they should have been named "UnsafeDoNotUseOrYouWillBeFired".
[0] https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
by Ndymium
2/9/2026 at 7:45:25 AM
I mean, at least they eventually came to their senses, but it does not inspire confidence!https://developer.chrome.com/blog/sanitizer-api-deprecation/
by geocar
2/9/2026 at 11:07:56 AM
That's the old sanitizer API. That was already removed and what you linked earlier is the new sanitizer API.by Ndymium
2/9/2026 at 6:44:24 AM
> What I would like to see is the ability to put a <pre-cache href="url"><![CDATA[...]]></pre-cache> that would allow the document to replace requests for url with the embedded datamultipart/related already exists.
by pwdisswordfishy
2/9/2026 at 7:41:11 AM
> multipart/related already exists.Which web browsers render multipart/related correctly served over https?
by geocar
2/9/2026 at 7:48:55 AM
What is stopping them from doing so instead of going with a NIH solution?Never mind the context is e-mail, which is not served to a browser over HTTPS.
by pwdisswordfishy
2/9/2026 at 8:57:49 AM
Got it: So none.As to why I prefer one thing that doesn’t exist over another thing that doesn’t exist depends on my priors. You might as well be asking my opinion and making fun of it before you know the answer.
What do you think the impact would be if Content-Location: would be if it suddenly gained the interpretation I suggest?
What do you think a script in the package can do to reference a part of the URL is constructed by code?
by geocar
2/8/2026 at 10:16:56 PM
That is still signal that the email address is valid. I'd prefer something like the server immediately sending a SMTP 550 5.1.1 (unknown recipient error), for anything that's immediately recognized as spam (or marked as spam in the past by the user). That gives no signal at all and might even persuade some scammers to remove your email address from their list.by gigel82
2/9/2026 at 2:30:23 AM
If you don’t follow spam links, then it lets the spammer probe your spam filter, and try stuff until you follow links.A better approach is to follow all links always (even to non-existent recipients) if you must play this game.
That reminds me: I should make sure all my mail clients are still set to plain text rendering.
by hedora
2/9/2026 at 6:02:35 PM
I hereby remind you of a bet you lost: https://news.ycombinator.com/item?id=39186555 :)my contact info is in my profile to arrange settlement
by dmitrygr
2/9/2026 at 1:41:22 AM
That's not enough. As the article explains, SVGs can reference external resources. So you also need to prefetch those external resources, recursively, if you want to be thorough.by kijin
2/9/2026 at 10:42:20 AM
To add to this, those external resources aren't limited to images, they can be basically anything, foreignObject allows video.I'm also wondering if you could (ab)use SMIL mouse events to bypass this approach.
by RobotToaster
2/9/2026 at 4:23:52 AM
I knew the people who were setting this up for Yahoo like 10 years ago. Lots of major providers do it now.by easygenes
2/8/2026 at 7:34:37 PM
I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.by Saris
2/8/2026 at 9:32:54 PM
That still provides “human” vs “bot” feedback to the sender.An automated system processing emails isn’t going to be fetching images or rendering attached SVGs.
by BobbyTables2
2/9/2026 at 12:39:27 AM
I think I might be misunderstanding. Why wouldn’t it? It’s not like the human is manually decoding the SVG or getting the PNG.by smelendez
2/8/2026 at 10:16:27 PM
I mean I don't think that's exactly true in the age of LLMs.by pixl97