[Fixed] Tracking links in notification emails

SimonSapin · June 12, 2014, 2:16pm

Discourse sends notification emails in some cases when stuff happens, which is great, but the HTML version contains misleading links.

<p>To respond, reply to this email or visit <a href="http://mandrillapp.com/track/click.php?u=3022&id=b9389b72f7394&url=http%3A%2F%2Fdiscourse.wicg.io%2Ft%2Finitial-set-your-own-initial-styles-for-css-properties%2F198%2F7&url_id=6f6177a5a377b97e">http://discourse.wicg.io/t/initial-set-your-own-initial-styles-for-css-properties/198/7</a> in your browser.</p>

When rendered, it looks like a link to http://discourse.wicg.io/ but it actually goes to an unrelated domain. To a path, of all things, called /track/click.php. This smells bad. So much that Thunderbird (at least for me) shows a big red warning “This message may be a scam.”

Why is this the case? Who has access to the collected data? How is it used? Can and should this be disabled for specifiction.org?

domenic · June 12, 2014, 2:45pm

This really feels like something you should be reporting to Discourse; we just use their software. (We didn’t write it ourselves.)

SimonSapin · June 12, 2014, 5:38pm

Good point. https://meta.discourse.org/t/tracking-links-in-notification-emails/16482

SimonSapin · June 12, 2014, 8:12pm

I guess it’s up to @robin to disable it? https://meta.discourse.org/t/tracking-links-in-mandrill-notification-emails/16482/3

robin · June 13, 2014, 7:42am

Thanks for reporting and looking into this @SimonSapin. I basically set this up on the side and customised very little. Mandrill is not a hostile domain, it’s just the provider used for email blasts. They are not tracking for their purpose, they’re tracking opens and clicks for their customers by default because that’s what people normally expect from emailing services.

I have found the option and disabled it, it should be gone now.

SimonSapin · June 13, 2014, 8:19am

Status: RESOLVED FIXED