Some e-mails and Web pages are not wholly self-contained. They may refer to content on another server, rather than including the content directly. When an e-mail client or web browser prepares such an e-mail or Web page for display, it ordinarily sends a request to the server to send the additional content.
These requests typically include the IP address of the requesting computer, the time the content was requested, the type of Web browser that made the request, and the existence of cookies previously set by that server. The server can store all of this information, and associate it with a unique tracking token attached to the content request.
As an example of the way Web bugs can make user logging easier, consider a company that owns a network of sites. This company may have a network that requires all images to be stored on one host computer while the pages themselves are stored elsewhere. They could use Web bugs in order to count and recognize users travelling around the different servers on the network. Rather than gathering statistics and managing cookies on all their servers separately, they can use Web bugs to keep them all together.
For e-mail, many Web bugs can be avoided by turning off HTML display and displaying only the text. Turning off the display of images while still using HTML may still allow other techniques to be used.
Web bugs are frequently used in spamming (sending unsolicited commercial e-mail) as a way of "pinging" to find which spam recipients open (and presumably read) spam before deleting it.
While Web bugs are used in the same way in Web pages or e-mails, they have different purposes:
As with all files transferred using the Hypertext Transfer Protocol, Web bugs are requested by sending the server their URL, and possibly the URL of the page containing them. Both URLs contain information that can be useful for the server:
For example, an e-mail sent to the address
firstname.lastname@example.org can contain the embedded image of URL
http://email@example.com. Whenever the user reads the e-mail, the image at this URL is requested. The part of the URL after the question mark is ignored by the server for the purpose of determining which file to send, but the complete URL is stored in the server's log file. As a result, the file
bug.gif is sent and shown in the e-mail reader; at the same time, the server stores the fact that the particular e-mail sent to
firstname.lastname@example.org has been read. Using this system, a spammer or e-mail marketer can send similar e-mails to a large number of addresses to check which ones are valid and read by the users.
Web bugs can be used in combination with [cookie]s like any other object transferred using the HTTP protocol.
Web bugs are used by e-mail marketers, spammers, and phishers to verify that e-mail addresses are valid, that the content of e-mails has made it past the spam filters, and that the e-mail is actually viewed by users. When the user reads the e-mail, the e-mail client requests the image, letting the sender know that the e-mail address is valid and that e-mail was viewed. The e-mail need not contain an advertisement or anything else related to the commercial activity of the spammer. This makes detection of such e-mails harder for mail filters and users.
Tracking via Web bugs can be prevented by using e-mail clients that do not download images whose URLs are embedded in HTML e-mails. Many graphical e-mail clients can be configured to avoid accessing remote images. Examples include the Gmail, Yahoo!, and SpamCop/Horde webmail clients, Mozilla Thunderbird, Opera, and later versions of Microsoft Outlook, and KMail mail readers. Other HTML techniques (such as IFrames) can still be used to track e-mail viewing.
Text-based mail readers (such as Pine or Mutt) and graphical e-mail clients with purely text-based HTML capabilities (such as Mulberry) do not interpret HTML or display images, so their users are not subject to tracking by e-mail Web bugs. Plain-text e-mail messages cannot contain Web bugs because they cannot have images, and so are safe with any mail client.
Many modern e-mail readers and Web-based e-mail services will not load images when opening an HTML e-mail from an unknown sender or that is suspected to be spam mail. The user must explicitly choose to load images. Web bugs can also be filtered out at the server level so that they never reach the end user. MailScanner is an example of gateway software that can disarm IFrames as well as Web bugs.
Momentarily disabling a computer's Internet connection before reading new emails and deleting those messages suspicious of containing web bugs may eliminate the threat. The added inconvenience is lesser on those systems that have an Internet disabling button on the keyboard (as is the case with many laptops).
Also, a hosts file can be used to specify that some servers are never to be contacted for any reason. This file must be continually updated to reflect the fact that new tracking servers are periodically brought online, and old ones repurposed to serve legitimate content.
As a result of these measures, Web bugs are slowly losing their effectiveness and cannot be relied on to accurately count read rates for e-mail campaigns.
Disposition-Notification-To email headers may be seen as another form of Web bug. See RFC 4021.