An HTML-only email from a gov agency has a logo referencing an URL that looks like this:

https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png

It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages.

The output of torsocks curl -LI looks like this:

HTTP/2 200
date: (exactly now)
content-type: image/png
accept-ranges: bytes

That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel – it’s a logo.

The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second?

Are there any other checks to investigate this?

  • nothacking
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 months ago

    Make another account to see if a different user/email address gets a different URL, which would indicate that it is used to track users.

    • coffeeClean@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      8 months ago

      That’s cheating. I wish it were that easy but I really can’t create another account for this. I will ask around if anyone else has an account so we can compare notes. But I was just wondering if there is anything else I can do in a solo investigation to get more clues. It would generally be a useful skill to detect messages from other senders as well. I did a search on the domain to see if it’s a known service that sells tracking capability but that came up dry. nvm… it seems mailjet.com is behind this and they appear to be pitching analytics services.