Tracking User Location from an Email¶
Introduction¶
In this absolutely innocent project, I’ll show you how to "gently" track someone's location using nothing more than a harmless broken image link embedded in an email. This perfectly ethical approach will help you understand how tracking mechanisms work and how your email signature can become the perfect little spy tool.
Project Overview¶
This project features two super simple components (don’t worry, no one gets hurt):
- Tracking Mechanism: Embed a completely harmless broken image in your email signature. What could possibly go wrong? This triggers a request to a logging script on your server.
- Email Setup: Use your trusty Proton email account to send the email because, well, Google might just get suspicious of your shenanigans and ruin the fun.
[ Email Sent ]
|
v
[ Recipient Opens Email ]
|
v
[ Tracking Image Loads ] --> [ Request Sent to Server ]
|
v
[ log.php Logs User Data ]
Step-by-Step Implementation¶
1. Creating the Tracking Script (log.php)¶
First, you need a script that tracks the poor unsuspecting soul who opens your email. Here’s the PHP code to get the job done:
<?php
include 'functions.php';
$browser = getBrowser();
$date = date('m/d/y g:i A');
$ip = getIP();
$referer = getReferer();
$logData = "[$date] $browser | $ip | $referer" . PHP_EOL;
// Log access to the text file, creating it if it doesn't exist
file_put_contents('logs.txt', $logData, FILE_APPEND);
// Optionally serve a tracking image
echo '<img src="sig.png">';
?>
[ User Opens Email ]
|
v
[ Tracking Image Requests log.php ] --> [ log.php Logs User Info ]
|
v
[ logs.txt Stores IP, Browser, Referer ]
2. Utility Functions (functions.php)¶
You’ll need a few handy functions to extract crucial info, like where the person is sitting and what browser they're using. Here’s how:
<?php
function getBrowser() {
return $_SERVER['HTTP_USER_AGENT'] ?? "Unknown User-Agent";
}
function getIP() {
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipList = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
return trim($ipList[0]); // Return the first IP from the list
}
return $_SERVER['REMOTE_ADDR'] ?? "Unknown IP";
}
function getReferer() {
return $_SERVER['HTTP_REFERER'] ?? "Unknown Referer";
}
?>
3. Configuring .htaccess¶
Now, to make sure that things go smoothly and no one can stop you (legally), configure the .htaccess file to redirect requests like a pro:
RewriteEngine On
# Allow access to index.html only
RewriteCond %{REQUEST_FILENAME} !index\.html$
# Deny access to all .php files (prevent direct access)
RewriteRule \.php$ - [F,L]
# Reroute index.html requests to log.php
RewriteRule ^index\.html$ log.php [L]
# Prevent directory listing
Options -Indexes
[ Email Client Loads Tracking Image ]
|
v
[ .htaccess Redirects Request to log.php ]
|
v
[ User Data Captured & Logged ]
4. Setting Up the Email¶
To track user activity via email (because why wouldn’t you?): 1. Add an image to your email signature that points to the HTML file on your server. You know, so you can track your "innocent" recipients. 2. Send the email using a Proton email account (because Google is a buzzkill and might block the fun).
[ Email Sent with Tracking Image ]
|
v
[ Recipient Opens Email ]
|
v
[ Tracking Request Captured ] --> [ Data Stored in logs.txt ]
How It Works¶
When your recipient opens the email and, of course, loads the "harmless" broken image in the signature, a request is made to log.php. The script logs everything about them — their IP address, their browser details, and their browsing habits (well, at least the one time they opened your email). The data is then saved in logs.txt. Totally not creepy, right?
Ethical Considerations¶
While this project is a fun way to explore how tracking works, let’s all be responsible human beings here. Don’t go invading privacy or violating laws, okay? This is purely for educational purposes, and we all know how that goes.