[dvlug] Tracking users via hashed URLs

Rick Moen rick at linuxmafia.com
Mon Nov 15 21:30:03 PST 2021 

There's been a strange element in Grant's recent postings to the
"list at dvlug.org" ostensible mailing list.  Did anyone else notice it?

The outsourced archive on www.mail-archive.org is at
https://www.mail-archive.com/list@dvlug.org/, but have a look at the
first exchange between Michael and Grant, about maybe re-constructing
one of the prior DVLUG sets of Web pages.  Michael wrote:

  Some have within the power to recall.
  https://web.archive.org/web/*/http://dvlug.org/

Grant replied, quoting the above, except it came out like this:

  > Some have within the power to recall.
  > http://email.dvlug.org/c/eJw1jssKgzAURL8m2VX0Jpq4yMJaq1Ao7UJxG2N84QsrSv--obVwmMUwcKYUjDJS4laEAYKzTLb7kieR96ZpGigJPGfjrYMwi56sg26fEbkY_C0evSR7xP5QI2oPsu2t-ptqGnAjHK0dZbNSVxWlhDiyAsqpW4BmIIFxPAjic5d4QHEvmnWdX4iYA1fDrgtLLqppN21NS_1rTOJFHPVhPP1XxvkBR4I9Dw*/http://dvlug.org/

Hey?  What's up with the rewritten URL with the huge hash string in it?

I'm pretty sure the explanation relates to the answer to the question:
_What business_ (what market) is Mailgun Technologies, Inc. _in_?

I already mentioned that Mailgun doesn't do mailing lists, but they
describe themselves as an "email delivery service" whose APIs "enable
you to send, receive, and track email effortlessly", to do "great
campaigns".

One of their pages about their key value proposition spells it out:

  ANALYTICS

  Know exactly what happens to every email you send
  Get insight into the performance of your messages with advanced email
  analytics. Track engagement metrics like opens and clicks, use hourly
  data to determine the best time to send your emails, and dig into
  performance by device, location, and mailbox provider.
  When delivery failures happen, our detailed logs make it easy to
  diagnose and correct email issues.


Getting to the main point, it's about _tracking_.

Any mail that gets sent out as part of a Mailgun "campaign", the target
market being bulk mailings for sales/marketing, that is issued by
Mailgun's software (as Grant did) gets all URLs within the mailing's
body text _altered_ to be individual to each user.  Thus the long hash
value:  The hash is a marker that is unique to the subscriber.   If two 
list at dvlug.org "subscribers" compared copies each received from
list at dvlug.org, their hashes will differ.

The idea is that, any time a user visits a URL within a
Mailgun-originated mail, the page is loaded via HTTP fetch from the
Mailgun site with HTTP 302 redirect to the destination page.  The
intermediate visit to the Mailgun site is registered in the Mailgun,
Inc. logs as having been prompted by _this_ "campaign" e-mail, and
specifically the copy sent to _this_ user.  If the user sends the
"campaign" e-mail to a bunch of friends and they load the URL, then that
gets noted with it having been from a specific "subscriber's" copy.
Times get logged, visiting IPs get logged, and all of this gets reported
in detail to the customer who paid for the "campaign". 

The plain-English term for "advanced email analytics" is "spying on
people's Web usage".  This bit of minor nastiness is probably familiar
to most, being now an entire industry, pioneered by the firm Constant
Contact, but now with endless numbers of competitors:  ActiveCampaign,
SendinBlue, GetResponse, Moosend, ConvertKit, HubSpot CRM, SendX,
BenchMark Email, MailerLite, SendPulse, MailChimp, Campaign Monitor,
AWeber, Emma, Drip, Pabbly Email Marketing, iContact, EngageBay, and
probably a bunch more I'm missing... plus Mailgun.

You encounter these pestilential bits of e-mail surveillance practically
everywhere, these days, and it's rare for people to get much worked up
over them, because they're sort of a background annoyance of badness.

You know where you ordinarily never encounter them, though?  Linux user
groups.

More information about the dvlug mailing list