
The trouble with text-only email - corbet
https://lwn.net/SubscriberLink/735973/17bdb163fddd41ae/
======
makecheck
I don’t understand this sort of “right to track” that so many organizations
seem to have. I don’t care if modern technology gives them a way to do it, I
have a right to block or otherwise avoid loading whatever I want. Somehow 20
years ago businesses managed to judge how effective their communications/ads
were without tracking; let them go back to that.

~~~
askvictor
The article is quite specific in why Mozilla wants to track emails - email
being sent to dead email accounts causes greylisting/blacklisting problems for
them; they want to be able to unsubscribe inactive accounts, and the only way
to determine account inactivity is through some sort of feedback mechanism.

~~~
robotresearcher
> the only way to determine account inactivity is through some sort of
> feedback mechanism.

Or a timeout (distributed systems 101). Just time-out accounts and send a
good-bye email that has a one-click reanimation link.

~~~
taneq
Making spam lists opt-in? I'm pretty sure there's some kind of secret blood
oath amongst marketing types that none shall ever make it simpler or more
convenient to get off a mailing list, let alone making it harder to stay _on_
one.

~~~
tpxl
Where I live it is required by law for mailing list emails to have an
unsubscribe link at the bottom :)

------
y0ghur7_xxx
I don't understand the problem: mozilla is basically saying "we need to track
you, otherwise gmail/yahoo/hotmail thinks we are sending spam". But if that's
the case, isn't the problem the to aggressive spam filtering of
gmail/yahoo/hotmail? _Or_ mozilla is really sending spam. But knowing them I
don't think that's the case.

So the real problem here is that everyone is using gmail/yahoo/hotmail, and
those providers have broken spam filters. They should fix them.

~~~
ordu
Yes, I agree, they should. But they wouldn't. Mozilla is as powerless here as
you or me.

~~~
zAy0LfpBZLC8mAC
Which is really irrelevant--if you want to subscribe to Mozilla mailing lists,
you should be using an email provider that doesn't randomly label emails as
spam, rather than Mozilla annoying everyone else because of it.

~~~
crummy
what email provider is that, with perfect spam filtering?

~~~
zAy0LfpBZLC8mAC
How is perfect spam filtering the only alternative to obviously terrible and
trivial to improve spam filtering?!

------
Animats
SMTP has a perfectly good verification mechanism. You send a VRFY request with
an email address, and the server tells you if the address is valid. The
trouble is that many mail servers don't handle VRFY requests, because spammers
used them to explore the space of destination email addresses.

There's also "Disposition-Notification-To", which sends back a message when an
email is read. Most real mail clients tell the user this is being done, and
allow the user to decide whether they want to send back a receipt. Does Gmail
support that at all?

~~~
smileysteve
This. SMTP is broken because EmailSPs have found people to be spammy - using
verify and messages with zero content to find addresses of people not opted
in.

Added additional ways to track for 'are we sure it is a user' is just another
way that bypasses privacy to be able to send more email.

Solution? Get real leads, not just honeypots. Make your unsubscribe so easy.
Keep customers active with promotions and products.

~~~
bigiain
"Keep customers active with promotions and products."

Sure, but that isn't exactly easy to do for Mozilla in these cases. The people
on these lists are not "customers" and they almost universally do not want
"promotions and products" in the ordinarily understood meaning.

Serious question - how would you explain your strategy to Mozilla in the
context of their lists?

~~~
smileysteve
> how would you explain your strategy to Mozilla in the context of their
> lists?

I'd explain this to Mozilla by showing evidence of high click through rates in
directed and singular "Calls to Action" \- whether that's downloading a
browser update, pages with new products, and features.

The easy to unsubscribe is also key here.

But also seeking better/additional channels such as "advertising" on related
products and services (much like the service they provide for Google)

------
ikeboy
"One metric that some sites evidently use is email sent to accounts that are
known to be inactive, which is seen as a sign of a spammy originator. This,
seemingly, is where Mozilla has run into trouble. One way to avoid this
problem is to track which recipients are actually reading their email; any
recipient who doesn't look at any messages for a period of time can then be
unsubscribed."

Shouldn't the sites bounce those emails in a way Mozilla can detect and
therefore use to prune?

~~~
danohu
I seem to increasingly get unsubscribed from mailing lists because of not
opening them, which is very frustrating.

Sometimes it's because I'm reading but not triggering their tracking
mechanisms. Other times it's because I'm subscribed to lists that I only
occasionally read, but want to have available for reference.

Either way: if I've actively subscribed to a list, I have some reason for
doing so. I don't want to be unsubscribed!

I'd be happy to add my email address to some whitelist of 'assume I'm reading
anything I'm subscribed to', if only it were possible.

Otherwise, maybe I need to forward mails to some service that will open them
all in a browser, and trigger all the tracking pixels.

~~~
giovannibajo1
FWIW Gmail does that: it triggers trackbacks from a pool of Google-owned IP
addresses that don’t map to any specific users, and then serves themselves the
images to the clients. This is why they now load images by default: there’s no
more privacy issue.

~~~
Sephr
There is still a privacy issue since Google only caches external images at
read-time, leaking the time you read your email to the sender.

------
Silhouette
The real problem here isn't text-only email, or even Mozilla being concerned
about not being able to track who is opening messages sent to its mailing
lists. The real problem is that certain large webmail providers are making a
hostile takeover bid for the fundamental infrastructure that email represents.
The likes of Google have decided that their own interpretation of how email
should work is more important than things like following standards and
delivering properly formatted and correctly sent messages.

------
mike-cardwell
Been a while since this was fixed now, but I once discovered a method to track
views of even plain text emails when the user was using Thunderbird -
[https://www.grepular.com/DNS_Prefetch_Exposure_on_Thunderbir...](https://www.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail)
\- thanks to the DNS lookups caused by URL pre-fetching. Same issue worked
with various webmail implementations at GMail, Hotmail, Roundcube, IMP, and
probably more. You can test your client for this particular flaw and many more
at a website I built -
[https://www.emailprivacytester.com](https://www.emailprivacytester.com)

------
shabbyrobe
Mozilla seem to be falling into the same trap as the internet in general,
albeit a good long while later. Just a little bit of tracking here, how is
that harmful? Just a little bit of tracking there, too. It's really not a
problem. Telemetry this browser feature, Google Analytics that addon page. And
like the frog in the pan of water, eventually we're all cooked.

"Don't be evil" is deprecated, Mozilla Manifesto #4 will be too, soon enough.

~~~
actuallyalys
Those are both anonymized, though. That doesn't make it okay, necessarily, but
that's a pretty clear line, so I don't think this is a frog in boiling water
situation.

They also willing to have conversations with users about privacy in the open
[0] [1], and both telemetry and Google Analytics can be turned off. (The
latter is already turned off if you've enabled Do Not Track.)

Finally, Mozilla apparently spent a year working on a contract with Google
before they even enabled Google Analytics [2], so it wasn't a matter of
slapping Google Analytics on a page because they thought one page couldn't
possibly hurt.

That being said, I'm skeptical of their use of Google Analytics, so I'm not
trying to defend that. I do think it's unfair to imply Mozilla is carelessly
following the rest of the web, though.

[0]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=697436](https://bugzilla.mozilla.org/show_bug.cgi?id=697436)

[1]: [https://github.com/mozilla/addons-
frontend/issues/2785](https://github.com/mozilla/addons-frontend/issues/2785)

[2]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14](https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14)

------
20years
This leads me to believe that Mozilla may have recently been caught up in the
same spamhaus spam-trap debacle as many others and was backlisted. They
decided to send a permission pass email because if an open or click hasn't
recently been recorded, there isn't really any other way for them to know
which emails in their list are no longer active.

This also confirms my belief that one or more of the big email ISP's (yahoo,
gmail, etc.) may have sold a crap load of their inactive email accounts to
spamhaus recently. Doesn't matter if these once active emails did opt in to
your list in the past, you will still get backlisted now that they are in the
spamhaus spam-trap database.

I don't understand why the email providers don't simply shut down the inactive
accounts. This would then result in a hard bounce to the sender allowing them
to remove the emails from their list.

~~~
iMerNibor
It's especially fun if users enter a spam trap email (something along the
lines of a@free-email-service.tld) and they blacklist you for sending a opt-in
email to that address :]

------
jstewartmobile
I think the whole "non profit" angle of Mozilla is suspect. When so much of
their revenue is tied to search engines[0], they're really more of subsidiary
than a charity.

That, and having the _marketing_ person insist that they _need_ message
tracking to prevent being blacklisted is shady as hell. Mozilla has plenty of
smart people who already know several other ways to skin that cat.

[0]
[https://en.wikipedia.org/wiki/Mozilla_Foundation#Financing](https://en.wikipedia.org/wiki/Mozilla_Foundation#Financing)

~~~
matt4077
Sources of revenue are not relevant to the categorization as a non-profit.
Only the use of funds is.

~~~
jstewartmobile
Meeting all of the current legalities is a low bar.

I'm sure there's some anti-smoking "non-profit" out there that gets 90% of its
revenue from Philip Morris, and is 100% compliant with the law. Doesn't make
it right though.

------
Sir_Cmpwn
You'll have to pry plaintext email from my cold, dead hands. If you send me an
HTML email it goes right in the bin.

~~~
skrebbel
I see this a lot on HN, but how does that work in practice? nearly all common
graphical email clients compose in HTML mode by default. Most signatures that
I see contain at least one clickable link.

Do you just delete all emails from people who dare to use Gmail? Or Apple
Mail? Or Outlook? Are they all horrible, horrible people not worth
corresponding with?

~~~
cesarb
All common graphical email clients that I know of send a HTML message as a
"multipart/alternative", with both a plain text and a HTML version. In fact,
AFAIK an email having only a HTML version (or the plain text version being too
different from the HTML version) is an indication that the email is probably
spam.

The text-only email clients just ignore the HTML version and show the plain
text version of the email.

~~~
skrebbel
Ahh right, that makes more sense. So all the people who proudly boast that
they send HTML emails straight to /dev/null actually mean "emails that don't
come with a text version".

Sounds less hardball when you put it put that :-)

------
dingo_bat
It's funny how the entire privacy nightmare was finally avoided by a simple
link to click once a year. This itself shows that such involuntary tracking
has no useful purpose which cannot be achieved in a simpler manner that
preserves privacy.

------
eponeponepon
Who are the organisations keeping these lists of 'inactive' accounts and doing
it in such a sloppy way that receiving text mail counts as not existing? I
sure as hell haven't told them whether or not I use any of my email addresses.
Isn't the solution to correct them, not to go along with them?

Surely Mozilla has enough clout to at least get a message to them rather than
just throwing in the towel?

~~~
gcp
The problem is that they are Mozilla's competitor (Google - Gmail). It's not
named explicitly but the dots are pretty damn obvious to connect, I think.

------
ekianjo
> not that there was really any need for more evidence that the email system
> is broken

Broken? Where? Is there a reliable open standard alternative to passing
messages to one another with attachments, encryption, self-hosting, and local
archiving as actual options on the table? And no, IMs are not an alternative
for anything longer than a few lines.

Email is only "broken" if you don't use it properly.

~~~
Silhouette
_Email is only "broken" if you don't use it properly._

Email is plenty broken today even if you do use it properly. In my various
business interests, we frequently see mails bounced or silently dropped even
though we were sending a legitimate message from one specific person in our
business to one specific client or customer contact.

We get rejections because a big mail service provider like Google has deemed
certain types of attachments unacceptable.

We get rejections because someone screwed up a blacklist and caught a server
at a service provider we use in the net.

Sometimes we get rejections saying our content is unacceptable or whatever
words they're using for that this week, when we are literally just sending a
standard form tax receipt _that we are legally required to provide to our
customer_!

If you aren't sending from a well-established system or with whatever extra
levels of sender verification these services have deemed necessary these days,
you're pretty much automatically going into someone's junk folder regardless
of the importance, urgency or legitimacy of your message. I had literally
never had a problem with legitimate business mail going into a recipient's
junk folder until relatively recently, but in the last few years I've seen
whole deals blown because a crucial meeting was happening abroad and
information that we sent to a client in good time to meet their own prospects
wasn't received and turned up in their junk folder that they hadn't thought to
check (and this is with long-term clients we have exchanged literally
thousands of messages with previously).

Email is broken, and the likes of Google have broken it, and we can and should
lay the blame squarely at their feet.

------
purplezooey
I recently switched back to Mutt after 10 years of Outlook and OWA. It took a
few months of constant tweaking, but loving it now. I can still load html
email in a browser with one key if I need to.

~~~
auvrw
you mean "neomutt" ^_^ ?

i noticed the updated name when running `mutt -h` one day and was pleased to
find this page

[https://www.neomutt.org/](https://www.neomutt.org/)

with good documentation along with an active github repository and apparently
welcoming community. i think there's even a Twitter account for "keeping up
with the times."

------
crispinb
I always explain tracking pixels to non-technical users and show them how to
turn off image loading if they wish to. Every single one has chosen to do so.
It's way past time for email clients to have this as the default for html
emails.

------
rb808
They could send a personalized mail every year saying - "if you still want to
continue to receive these mails", click here.

~~~
jordanlev
The conclusion of the article states that this is what they did.

~~~
dingo_bat
I don't know why this wasn't the first option instead of tracking users
without permission? This seems easier to implement, privacy-aware and even
seems to more explicitly indicate the users intent to keep receiving emails.

------
z3t4
Also have them opt-in when they sign-up to your newsletter, aka double-opt-in.
Don't worry about those that don't opt-in as it's unlikely they'll read your
newsletter anyway.

~~~
4lch3m1st
I second that, however most companies seem to think that opt-out is the only
way to go if you want to profit.

------
merb
There should be email client's who only open images if they are attached. I
don't think any email client should try to load anything inside the html
automatically if not attached. and even than attachment images should be
confirmed.

~~~
bluedino
“Automatically download images” is a setting in Outlook and turned off by
default

------
grogenaut
You don't need html email for that... you just need a trackable link. If
someone hasn't actually come back to your site for years due to the mail
you're sending out... should you really be sending them mail?

------
astrodust
If your site looks virtually the same in Lynx I'm not sure if that's a feature
or a bug.

~~~
tomsthumb
Digital brutalism is under appreciated.

How did we reach a point where a technical write up is forced into a column 6
inches wide on my 32 inch monitor?

Why does practically every code snippet exceed this 6 inch width, requiring a
scroll bar?

Why is there a 50-50 chance that this scroll bar will be so tall that it
actually hides the code snippet, and the fastest way to read the bits of
information which are the point of the entire write up is to pop open
developer tools by inspecting the element and read the code directly from the
html?

~~~
astrodust
I'd rather not have to follow a line of text from one side of my large screen
all the way back to the other, nor be forced to scrunch down the window
because they never considered that screens could be so large when that site
was laid out in 1996.

LWN at least has a reasonable max width, but some sites don't.

~~~
mavhc
The trend to run everything full screen is an odd one, probably was never even
a thing on Windows, with its terrible window resizing options. Of course tabs
in browsers is a side effect of terrible window management in GUIs, and causes
more full screenness

~~~
teddyh
I have a theory about how this obsession with running web browsers in full
screen came about, based on my personal observations on what happened at the
time:

The graphical web browser was originally mostly used on computers like Sun
SPARCstations and NeXTcubes with desktop resolutions like 1152×900 (Sun) and
1120×832 (NeXT). The web browser, in these desktop environments, were _not_
maximized, but were instead used as one window (or multiple windows) among
many other windows on a desktop full of other applications, icons, and menus.
(See for example the fact that the normal shortcuts Ctrl/Command-N (for new
browser window) and Ctrl/Command-W (for close window), which are standard in
all current web browsers, actually originated as built-in features of the
NeXTSTEP _window environment_ , and _not_ as a feature of the first web
browser (which was written for NeXTSTEP). Tabs were not a feature in any web
browsers yet – separate windows were used for approximately the same
purpose.).

Anyway, the first graphical web sites were written with these non-maximized
pixel widths in mind, with a typical web site being a bit above 600 pixels in
width and assuming a maximum window height of around 700 pixels. PCs, around
this time, typically had 640×480 pixels on their whole display (or maybe
800×600 or 1024×768 if they had a more expensive monitor and enough graphic
card memory, but this was more rare). At that time, a user on a normal cheap
PC, browsing a web site made for about 600 pixels in width, would find it
easiest to simply maximize the window. And running multiple applications at
the same time was not a practical option anyway for these PCs, considering the
limited CPU and RAM available, so maximizing the web browser was natural.

A few years later, as PCs became commonplace, and therefore became the norm
for web browsing, and as monitors and graphic card memory became cheaper, web
designers started using the full-screen mode as the _assumed_ mode for using
web sites, and as 800×600 (and later 1024×768) desktop resolutions became more
common on PCs, web site designers jumped to using these widths as their
assumed web browser widths. (See the common practice at the time to have
little buttons on web sites stating “ _Best viewed in 800×600_ ”, and
similar.) PC users, during all this time, were thus implicitly taught to
_always_ maximize the web browser window. Meanwhile, Sun/NeXT/SGI/etc.
workstation users did not really complain since they had ample resolution to
spare for viewing these ever widening web sites, and workstations were on the
way out anyway.

However, nowadays, with both “retina” displays and much wider than 4:3 aspect
ratios (initially 16:10 and later 16:9) being the absolute norm, it’s
_ludicrous_ to run (and design) a web site in full screen mode. I mean, the
line length shouldn’t be over 55 characters per line anyway¹, so a web site
has no business being wider than that. And personal computers are now more
than capable of running more than one program at a time, which is only made
more difficult by programs assuming they can cover the whole desktop for
themselves.

1\.
[https://en.wikipedia.org/wiki/Line_length](https://en.wikipedia.org/wiki/Line_length)

~~~
pwg
Another possible explanation for the penchant of many users (esp. non-
technical ones) to run everything "maximized":

Most non-technical users have _only_ ever seen and used MS Windows.

MS Windows has always had atrocious overlapping windows management features as
compared to Unix X11 window managers. So most non-technical users never really
learned to use multiple, overlapping, onscreen windows at the same time.

The one 'window management' feature that is directly visible to a non-
technical MS Windows user is the task bar, and then its (the task bar's) only
feature they see is "raise to top".

Applying a bit of "if the only tool you have is a hammer, all your problems
start to look like nails" mentality, and it becomes easier for a non-technical
user to simply hit the MS Windows "maximize" button on every window that opens
for any applications they use (after which most MS Windows apps remember and
auto-maximize the next time they launch) and then use "the hammer" they have
(task bar with "raise this window to top" tool) to simply pop an already full
screen window up when needed, then pop up another one when that one is needed,
etc.

Plus, from their viewpoint, this provides a "less distracting" work-space
since only the thing of interest is in view at any given moment.

Couple this with a bit of "follow the leader", or in this case, someone else
they've observed, or possibly from the trainer who maximized not because
he/she wanted to, but because the 800x600 projector of the day was too small
to demo anything with overlapping windows and we have non-technical users who
all start running everything maximized.

------
FRex
Wouldn't a better solution be exempting Mozilla from these checks? I mean
really.. it's MOZILLA. The same one that Google, Microsoft, et al are teaming
up with them to improve web docs but at the same time some (does gmail and
htomail do it or not?) of these hinder it's mailing lists about the very same
subject they are supposed to be teaming up on?

Other reputable mailing lists operators should also have all their addresses
exempt from this charade.

What is the danger that mails from Mozilla are actually SPAM, seriously.

On the other hand, I just looked into my spam on gmail right now - 2 spammy
emails (from shady domains, I guess they're okay, since they don't run mailing
lists) and 1 genuine email, form a reputable big site, emails from which I
always open that gmail judged to be spam (?!). Yes, it's promotional, so the
'content is similar to spam' but it's a newsletter that I subscribe to and
always read, from contact@ a large genuine website, so what the hell?

I used to be subscribed to some lists and only read mails I found the titles
interesting personally to me, I wonder if that hurt them too now...

'An algorithm did it' is like a new 'a wizard did it'. And it somehow
exonerates the people who put that crap in place and then its up to the victim
to fix it (complain on Twitter your YouTube was wrongly banned, complain on HN
your AWS got locked, track mailing list readers to not get demerit for
operating big mailing lists, etc.). This isn't right and often attempting to
dispute it doesn't even work, with a human reassuring the victim that the
algorithm was right until there is a mini-scandal and only then the decision
is overturned. All with 'you broke our terms and/or social guidelines', no
concrete information what even happened in the first place and then it happens
again to someone (or to the same person again).

It boggles my mind a reputable behemoth like Mozilla can be stuck in a
situation where they can't send an email to anyone until someone overturns the
algorithm's judgement which takes a lot of time (because it's soooo hard to
judge emails from Mozilla aren't SPAM, yeah, right).

I won't believe there isn't a way to do that because in that case Twitter,
YouTube and Facebook would be penalized very BADLY for all their spammy
notification emails many people leave in their social tab on gmail for years.
Somehow they don't end up in spam ever (and many of them I never open and they
would fit the description, especially Twitter updates about what's trending in
my country, that I literally can't turn off since my account was judged to be
a bot and locked right after creation and 1 Tweet and they now demand my phone
number to unlock it).

------
feelin_googley
From the comments:

"Not blindly loading elements works just fine

Posted Oct 12, 2017 17:18 UTC (Thu) by david.a.wheeler (subscriber, #72896)
[Link]

> All of them. The way this generally works is that there's a unique,
> invisible, element in the email, like a 1x1 pixel image. When that image is
> requested, the server marks that the email has been read. Since most email
> clients blindly load all HTML elements this works. Even for the more careful
> clients that don't load elements from remote servers by default and ask the
> user to click a "load full message" (k-9 mail on android does this), most
> HTML mail is unreadable without those remote assets because the layout is
> completely broken.

I don't load elements from remote servers by default, and practically never
have problems with desirable email. In my experience, email that's broken
without remote loading is practically always spam.

> This is even harder for mail client's that have to rely on a third-party
> rendering engine for HTML mail, since they don't necessarily have the hooks
> into the renderer to tell it not to load remote content.

At least some third parties DO support this functionality."

I use a non-major, non-modern "web browser" that does not load elements from
remote servers, and I practically never have problems with desirable content.

The "blind loading" problem extends to web browsers in addition to email.

In fact, email clients took the idea of tracking _from web browsers_ and
applied it to HTML email.

It may be possible to disable autoloading of images such as 1x1 pixels but
unfortunately the "major" aka "modern" browsers do not allow users to disable
all blind loading, e.g., malicious .js files.

For example, the recent Equifax incident involved blind loading of an
undesirable .js file.

This "blind loading" is the foundation of tracking and web ads, not just spam.

It seems the more the more "major" a browser is considered, the more people
refer to it as "modern", the better the browser works for tracking. Strange
coincidence I guess.

------
stephengillie
Let's make subscription timeouts a reality. When you subscribe to an email
newsletter, have it default to a 1-year subscription, which the user can
modify.

This solves this problem, and auto-unsubscribes people who are not active
users. You could have a login or other action renew the subscription.

~~~
kuschku
No.

If I subscribe to something, I want it to just continue working. I don’t want
to have to continuously spend time maintaining such bullshit.

This is another user-hostile action.

~~~
ekianjo
> If I subscribe to something, I want it to just continue working. I don’t
> want to have to continuously spend time maintaining such bullshit.

Every certificate you own for security purposes should have an expiry date,
and this is not "user-hostile", this is just good practice. A link to click on
once a year is not a big deal.

~~~
kuschku
For certificates, we have a fully standardized automated system to renew them.

I literally don’t have to do anything, and my certificates will continue to
work as long as Let’s Encrypt exists.

If I have to manually to any maintenance, the system is broken. Which, in this
case, it is.

The problem isn’t "one link to click per year", but if everyone does this,
suddenly I have to click dozens of links per day.

------
tammer
The company that truly improves email will be a fixture and a household name.
Its a devilishly hard problem, though. But one with immense potential.

I think a big limitation of current attempts are the focus on closed
teams/enterprises and making a "clean break" from email. WhatsApp seamlessly
bridged a gap between modern messaging and telecom to produce grand success —
the same can be done with email.

~~~
astrodust
Email is still a necessary component because it fills a specific need. Where
tools like Slack and Sharepoint help solve specific problems, Email is a good
general purpose tool for both short and long conversations, plus sending out
links to other tools.

I think the problem is not email itself, but email clients and their pathetic
inability to order your inbox correctly.

