Use CFCONTENT to
secretly track readers of your emails from ColdFusion.
Many of us
have used the CFCONTENT tag that comes with ColdFusion to serve up files to
browsers, but very few ColdFusion developers are aware that the CFCONTENT tag
can be used in conjunction with the HTML <IMG> tag to server up graphics
such as JPEGs and GIFs. In this case,
the why of doing this is perhaps just as interesting as the how. It turns out that using this technique is
perfect for use with creating an advertising banner server, controlling access
to graphic files or on the more sinister side, for creating “web bugs.” If you don’t recall, a web bug is a graphic
(usually an invisible one pixel shim) that is embedded in an HTML email message
or Word document that tips off its creator when and who is reading without the
reader even knowing their access was logged.
If you’ve never used the
CFCONTENT tag before, it’s an excellent tool to know about. In layman’s terms, CFCONTENT tells a web
browser that it’s about to receive a non-HTML file, and then sends it to the
browser. It does this by allowing you
to specify a MIME type and a filename to send to the browser. So a ColdFusion template name can be put in
place of a JPEG or GIF file like so:
<IMG SRC="http://www.myserver.com/images/send_graphic.cfm">
The ColdFusion template
“send_graphic.cfm” will contain a CFCONTENT tag that specifies “image/gif” for
the MIME type and is pointed at the name of an actual .GIF file. The kicker is that you can also include
code that logs the access to the file to a database table or does just about
anything else ColdFusion can do. This
is where privacy advocates get upset.
If logging access isn’t bad enough, your send_graphic.cfm file could
also use CFCOOKIE to set a cookie on the viewer’s machine. In turn you could later check for the cookie
when the user visits your website. If
the cookie IS there, then you could infer that the person viewed the email and
then decided to visit the website. And
that’s just the beginning of the worst of the possibilities.
A more common use of
CFCONTENT in this way is to serve graphics for a banner server-type
application. The logistics and
possibilities are about the same as for a web bug. The only major difference is that even less savvy Internet users
are aware that someone is probably logging each and every time the graphic is
viewed. In the same spirit as with
security flaws in applications, the authors of this article feel that its
better to make as many people as possible aware of these techniques and then
let them decide how to use the information.
This is after all real world stuff that is regularly used by web
programmers at Microsoft, Barnes and Noble and other major direct
emailers. So in that spirit, lets take
a look at some example code.
send_graphic.cfm:
<CFTRY>
<CFSETTING
enablecfoutputonly="yes">
<CFPARAM
name="nslookup" default="unknown">
<CFLOCK
NAME="NSLOOKUP" TIMEOUT="30">
<CFX_NSLookup IPHOST="#CGI.remote_addr#">
</CFLOCK>
<CFQUERY
NAME="Log_Image_Views" DATASOURCE="#application.dsn#">
INSERT INTO log_image_views
(logo_view_IP,logo_view_date,logo_view_domain )
values
('#CGI.remote_addr#',#createodbcdatetime("#now()#")#, '#NSLookup#')
</CFQUERY>
<!---
//////////////////////////////////////////////////////////////////////////////
--->
<!---
// Force the browser to download the
image file. //--->
<!---
/////////////////////////////////////////////////////////////////////////////
--->
<CFCONTENT
TYPE="image/gif" FILE="c:\images\invisible_pixel.gif">
<CFSETTING
enablecfoutputonly="no">
<CFCATCH
TYPE="any">
<CFCONTENT
TYPE="image/gif" FILE=" c:\images\invisible_pixel.gif">
</CFCATCH>
</CFTRY>
This simple example uses a
custom tag called <CFX_NSLookup> free from Lewis Sellar’s Intrafoundation
(http://www.intrafoundation.com/freeware.html)
that is used to get the user’s domain name from the IP Address. We will use CFTRY tags to catch any possible
logging failures and just send the image anyway. Finally, we use CFSETTING to suppress any extra white space that
might be generated by our code formatting.
To avoid problems with web browsers, the only output we need or want
comes from CFCONTENT.
So there you have it. When the web browser or email client loads
the HTML containing: <IMG SRC="http://www.myserver.com/images/send_graphic.cfm">
their IP Address, date and possibly their domain name are logged in a database
and the graphic sent, and the uneducated viewer is none-the-wiser.
Advantages of using
CFCONTENT to serve graphics:
1)
The actual location of
the file does not have to be in the accessible web path (This is good if your
users are paying for the files such as graphics libraries, PDF reports or
install EXEs)
2)
You can include code in
the template that can log access to the file
3)
The file to be
displayed can be dynamically selected based on other criteria. Eg random image
display, graphic size based on connection speed etc.
Did they read the email?
Did you ever want to know
who reads your email? Just embed their email address in a web bug URL. You'll
probably be CFLOOPING over a list of e-mail addresses, so in your CFMAIL tag,
you'd embed the following web bug (where email is the name of the field that
contains your e-mail addresses.
<img
src="http://www.myserver.com/bug.cfm?id=#urlencodedformat(email)#"
height=1 width=1>
Then on your server, you'd
have the following script (saved as /bug.cfm).
<CFSET dtDate =
createodbcdatetime(now())>
<CFIF
isdefined("ID") and len(ID)>
<CFQUERY
NAME="SAVEDATA" DATASOURCE="MYDATASOURCE">
UPDATE EmailList SET HasRead
= #dtDate# WHERE email='#ID#'
</CFQUERY>
</CFIF>
<CFCONTENT
TYPE="image/gif" FILE="c:\inetpub\wwwroot\shim.gif"
DELETEFILE="no">
Summary
Web bugs
graphics let you track who reads email or Word documents. ColdFusion can server
up smart web bugs or any other dynamic graphic using CFCONTENT.
Resources
Web bug FAQ
http://www.eff.org/pub/Privacy/Profiling_cookies_webbugs/web_bug.html
General privacy site
http://www.privacyfoundation.org/
Bio
Eron Cohen
([email protected]) is freelance ColdFusion programmer, MDCFUG speaker,
trainer and author. Michael Smith is president of TeraTech http://www.teratech.com/
, a 12-year-old Rockville, Maryland based consulting company that specializes
in ColdFusion, Database and Visual Basic development. Michael runs the MDCFUG and recently organized the two-day,
Washington, DC-based CFUN-2k conference that attracted more than 750
participants. You can reach Michael at [email protected] or 301-881-1440.