Those who know me know that I enjoy listening to podcasts.  In particular, I enjoy security related podcasts, especially when waiting for a flight or during the 50 minute drive into work every day. 

One podcast that recently raised my ire a bit is one that I listen to quite frequently, the Security Now podcast which is done by Steve Gibson (of Gibson Research Corporation) and Leo Laporte.  I am a frequent listener of this podcast, and was somewhat excited to hear the MX Logic name mentioned in episode #150,  "Listener Feedback Q&A" (audio version here).  Unfortunately, that joy quickly turned to aggravation as I listened to Steve not only give a completely uninformed response, but then also basically accuse us of using tactics similar to what spammers use to track active email accounts.  Unfortunately, I have yet to receive a response to my letter to Steve, so I wanted to be sure to clear the air on any misconceptions that he created during his podcast.

If you aren't familiar with the Security Now podcast format, every other week he and Leo go through the Security Now mailbag and select 12 questions from listeners that they will address on-air.  Question number 12 of episode 150 was from one of our customers.  Essentially he was concerned about tracking devices in email because he noticed that as he read an email on his Blackberry we were supposedly injecting graphics into his email.

Steve immediately jumped on the bandwagon and said "...this is absolutely tracking.  And this is why I'm so down on third-party cookies"  Here is where everything started to go completely wrong for him, especially since immediately afterward he also said "...there's no other information in the URL".  So, on one hand he says that "it is absolutely tracking" but on the other hand he says "there is no other information in the URL."  So, if there is no tracking information in the URL and we aren't setting a cookie of some kind when the image is pulled (another thing he got wrong since he mentions third-party cookies in his original response), what are we possibly tracking?  Sure, the IP address of the client pulling the image will appear in our web server logs, but that doesn't tell us anything.

The truth of the matter is Steve completely missed the mark in his response. 
The reason that this "injection" happened is a result of a customer configurable feature of our offering called HTMLShield.  With HTMLShield customers can configure their email filtering options such that certain HTML tags (such as javascript and iframes which are frequently the cause of drive-by malware downloads) within an email message are stripped (note that this is off by default, so customers have to specifically configure how they want this feature to work).  As part of HTMLShield, customers can also choose to have image links within an email replaced with a transparent GIF image (note that this is also turned off by default, even if HTMLShield is enabled.  So to enable this feature, a customer has to not only enable HTMLShield, but then also separately enable the feature to replace image links).  No tracking is done of images that are replaced.  We simply substitute the image link with a transparent gif, then pass the message down to our customer.

I would've hoped that someone with as much experience in the security industry would have been a bit more responsible in his answer and done a bit more homework before responding to the listener's question the way that he did, especially knowing that his podcast is so widely listened to amongst security professionals.  Since I have been a long time listener of Steve's podcast I like to think that his desire to jump all over this question and even go so far as to at one point agree with Leo that what we are doing is similar to spammer's "spam beacon" tracking mechanisms wasn't a backhanded plug for his primary sponsor, Astaro.....I guess I am just not that trusting.