🎯️ Oblivion-Inverse is a simple e-mail tracking solution which based on the usage of web beacons or tracking pixels.
🚀 We have moved onto Cyclic
platform! This branch (main
) contains the code for the latest stable release of this project now.
💻 You can also use the initial versions from:
- v1 branch: Ready to be deployed on Heroku Cloud Platform or on a self hosted environment with a SQL database.
- v2 branch: Ready to be deployed on Render Cloud Platform or on a self hosted environment with Firebase Realtime Database and Firebase Authentication.
🌟 We are working on new features and improvements on 'dev' branch. You can check the progress and contribute to the project by visiting the dev branch.
- What can I achieve using this?
- Setup & Usage
- Steps to create a tracking link for your email
- How to use a Geo Location API
- Special note about some email services
- Why not using cookies for tracking?
- Contributing
- License & Copyrights
- Disclaimer
A web beacon (web bug) is a technique used on web pages and emails to unobtrusively (usually invisibly) allow checking that a user has accessed some content. Web beacons are typically used by third parties to monitor the activity of users at a website for the purpose of web analytics or page tagging. They can also be used for email tracking. - Wikipedia
Basically using this pixel tracking method you can obtain vast amount of information about the targets. But, when it comes to emails there are few restrictions. For an instance, JavaScripts are not generally allowed in email clients.
-
✅ IP address of the recipient's device (or the proxy)
-
✅️ Request Header - User-Agent (Browser, Operating System, Device information)
Ex:Mozilla/5.0 (Linux; Android 11; Nokia G10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.88 Mobile Safari/537.36
-
✅️ Additionally, you can use a Geo Location API to obtain information such as approximate location, country, ISP ( Internet Service Provider), whether the user is using a VPN/Tor and so on... ) Read how to use a Geo Location API section
Login Screen | Add New Track Record |
---|---|
Link Dashboard | Tracking Info |
-
Python3 and Pip
-
Git
-
Code Editor (such as VS Code)
-
Cyclic Account (if you plan to deploy on a remote server)
[Shoutout to Cyclic! 🎉️]: Cyclic is one of the best startup platforms to deploy your web apps. It's really easy to use and has a generous free tier + flexible pricing for your own cool projects. Consider to check it out!
-
First clone or download this repository as a Zip file to your local machine.
-
Navigate to the directory.
cd Oblivion-Inverse
-
Create a virtual environment.
python3 -m venv venv
-
Activate virtual environment.
Linux:
source venv/bin/activate
Windows:
venv\Scripts\activate
-
Install dependencies.
pip install -r requirements.txt
-
As we use Firebase Realtime Database and Firebase Authentication, you have to create a Firebase project and obtain the credentials. Visit Firebase Console and create a new project.
Then go to the project settings and click on theService Accounts
tab. Then click on theGenerate New Private Key
button. This will download a JSON file containing the credentials. Rename the file tocredentials.json
and place it in the root directory of the project. (This file is already added to.gitignore
so it won't be pushed to the repository) -
Now you have to create a new Firebase Authentication user. To do that, you have to go to the
Authentication
tab in the Firebase Console. Then click on theSet up sign-in method
button. Then click on theEmail/Password
tab and enable it. Then click on theUsers
tab and click on theAdd User
button. Enter the email and password of the user account you want to create. Then click on theAdd User
button. -
Now you have to create a new Firebase Realtime Database. To do that, you have to go to the
Database
tab in the Firebase Console. Then click on theCreate Database
button. Then select the database location and click on theNext
button andEnable
the database. -
Now go to project settings again and under the General tab you can find the
Web API Key
. And also,you are able to find theDatabase URL
under the SDK setup and configuration tab there.
(Ex:databaseURL: "https://your-app-default-rtdb.asia-southeast1.firebasedatabase.app"
)
Take a note of both of them since we will need them on the next step.
After that you can either test the application in your local machine or setup your selected platform, as you wish.
First you have to set the following environment variables. Create a new file named .env
in the root directory of the project and add the following lines to it. Replace the values with your own values.
FIREBASE_API_KEY=Your-Firebase-API-Key
FIREBASE_DB_URL=Your-Firebase-Database-URL
SECRET_KEY=replace-this-text-with-a-suitable-key
FLASK_DEBUG=true
TIMEZONE=Your-Timezone (ex:Asia/Colombo)
Note:
- FLASK_DEBUG should be set to
true
only in development environments. It should be set tofalse
in production environments. - TIMEZONE should be set to your local timezone. You can find the list of timezones here.
Then run the application using the following command:
flask run
If another program is already utilizing port 5000 (default port), Address already in use
error will be displayed.
If that happens you can specify a different port like this:
flask run --port 5001
Navigate to localhost:<port_number>
(default: http://localhost:5000) in your browser.
A login page will be displayed.
Input your newly created account's email & password and that's it!
Click the button above and follow the instructions to deploy the app to Cyclic. (Follow the below section for environment variable setup)
- Push the code to your GitHub repository.
- Sign in to your Cyclic account and click
Deploy New App
button. - Connect your GitHub account and select the repository.
- Select app runtime as
Python
and the branch you want to deploy and clickConnect
button. - Go to the
Settings
tab and click on theVariables
tab. - Select
Bulk
option and paste the following environment variables and their values and clickSave
.
FIREBASE_API_KEY=Your-Firebase-API-Key
FIREBASE_DB_URL=Your-Firebase-Database-URL
SECRET_KEY=replace-this-text-with-a-suitable-key
FLASK_DEBUG=true
TIMEZONE=Your-Timezone (ex:Asia/Colombo)
Also, you have to add the Firebase Admin SDK credentials to the environment variables as well. You can append the following environment variables with the values from the credentials.json
file you downloaded from the Firebase Console.
FIREBASE_TYPE=service_account
FIREBASE_PROJECT_ID=Your-Firebase-Project-ID
FIREBASE_PRIVATE_KEY_ID=Your-Firebase-Private-Key-ID
FIREBASE_PRIVATE_KEY=Your-Firebase-Private-Key
FIREBASE_CLIENT_EMAIL=Your-Firebase-Client-Email
FIREBASE_CLIENT_ID=Your-Firebase-Client-ID
FIREBASE_AUTH_URI=Your-Firebase-Auth-URI
FIREBASE_TOKEN_URI=Your-Firebase-Token-URI
FIREBASE_AUTH_PROVIDER_X509_CERT_URL=Your-Firebase-Auth-Provider-X509-Cert-URL
FIREBASE_CLIENT_X509_CERT_URL=Your-Firebase-Client-X509-Cert-URL
FIREBASE_UNIVERSE_DOMAIN=googleapis.com
- Go to the
Overview
tab and click on your app link to view your app.
-
Visit the homepage of the app and sign into your account.
-
Add the subject of the specific email (which will make it easier to identified at later times) and the recipient's email address.
-
Click 'Generate'
-
Then, you can drag & drop the tracking image to the end of your message body. (DO NOT copy & paste the image since it will insert your image as a base64 image to the email body) -- Otherwise, you can manipulate the content of the email body using Developer Tools in browser.
-
Everything's done! Now send your email and wait for the results to appear. (you need to refresh your browser to load new entries)
Using a Geo Location API, you can collect additional information about the recipient such as;
- Approximate location
- Country
- ISP ( Internet Service Provider)
- VPN/Tor Usage ...
This feature will be available in the next version. - Till then, you can use a service like ipwhois
to obtain the location information using the recorded IP address.
Since some clients use a special technique, "Image Proxies" to deliver images; this pixel based tracking method is not suitable to gather additional information about the recipients who use such services. Instead of recipient's IP address and User-Agent, you will receive Google Image Proxy’s UA (User-Agent) (+IP address) which looks like this:
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)
But, on the bright side, you can still get the resource accessed date and time!
Yes, you can set cookies for additional/accurate data collection. But they represent as third party cookies within devices. Most of the web browsers/platforms block such cookies by default. [maybe not Chrome yet 😉] So, it's the death of 3rd party cookies.
Got an idea? Found a bug? Feel free to open an issue or submit a pull request. For major changes, please open an issue first to discuss what you would like to change.
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us. You can also check CODE_OF_CONDUCT.md for more information.
This program is free software: you can redistribute it and/or modify it under the terms of the MIT License
Refer to the LICENSE file for more details.
Heroku, Render, Cyclic, GMail, ipwhois, VS Code, Chrome are copyrights and/or trademarks of their respective owners.
Tracking other users actions across any platform may considered as violation of their privacy. So, kindly use this in a responsible manner. Authors of this repository are not responsible for any misuse of the provided information.