MailTrackerBlocker macOS Apple Mail plugin

I saw the plugin called MailTrackerBlocker featured by Daring Fireball and Tao of Mac.

The plugin supposedly blocks tracking pixels in emails. The main benefit by using this plugin is you can enable Mail.app → Preferences → Viewing → Load remote content in messages.

There are many way to track read status on email, the infamous tracking pixel known to be one. Other way is to include innocent looking feature image (say, a banner or scanned signature).

I’ve tried this plugin and it works great. This is free, but you can donate via GitHub Sponsors.

5 Likes

I kicked in $10 to the developer. It’s a great feature that Apple should have built themselves by now.

1 Like

I’ve been using this for a few weeks now, but in the last week I’ve been having problems with broken links in email. Dropbox invitation to shared folder do not work. I confirmed that it is due to this plugin by disabling it; the links work again.

With the plugin installed, for example, a Dropbox link now starts with “https://scl.com/” — which Safari reports as “cannot be found”.

I don’t know if this is because the plugin is written incorrectly or if it’s actually breaking something in Mail (or if the software is malicious). I don’t run any other plugins.

Since there seems to be no way to find the link, I’m going to uninstall it and return to blocking all images.

1 Like

Have you installed the latest version? The install/upgrade source was changed a while ago (assuming you are using brew).

1 Like

I wasn’t using Homebrew to install. It was the latest compiled version. I got deeply lost in GitHub trying to submit the URL error, but after an hour I realized I don’t have the time to deal with this.

It’s a great idea, but not ready for the real world just yet.

1 Like

Hi, I really sorry just read your reply, and am sorry for the inconvenience because this plugin I recommended.

I try replicating your issue, and it can be confirmed. I searched their code base, and it seems they omit any word containing dropbox.com/l/ (the culprit code if curious) in the email’s html, and your Dropbox paper invitation link became invalid.

I don’t know their rationale for omitting dropbox domain, but I will open issue on GitHub. The plugin will be better if they only omit images less than 10*10px, and don’t omit redirect link.

Edit:
Issue made on GitHub, issue number #102

@margaretamartin also @Drewster
This issue has been fixed :tada:

Issue #102 has been closed and the latest release can be downloaded via homebrew or the installer for 0.3.29 from here.

I tried the new build and can confirm, invite button’s link won’t break. Surprisingly it still block “something” from the Dropbox’s invite mail, and after I compare the mail with the plugin on and off, I can assure that Dropbox also use pixel tracker.

Fast response from the developer, I am glad and the trust for this project increased.

1 Like

Thank you. It works now.

1 Like

This is awesome! It’s really nice to be able to see images in messages again while still retaining privacy and without the friction of deciding to and pressing the “load remote content” button. Thanks for sharing! I’m going to send them some :money_with_wings:, too.

1 Like

That’s great, thanks!

But more than just Dropbox broke with that plug-in installed — Dropbox was just the one that came to mind. If every broken email has to be fixed by hand, then it doesn’t seem like a sustainable solution for a small team.

I won’t be reinstalling it because I can’t lose access to important email links.

Plus, if it’s able to rewrite URLs, that’s a huge security risk. I hadn’t thought about this before, but the security implications are serious. I know we’re all supposed to “not click” on links in email, but sometimes we have no choice. Dropbox shares, login verifications, password resets, Zoom invitations, etc. There’s no way to avoid using the links that are sent via email. In this case the URLs were rewritten to something that won’t resolve, but what if they were rewritten to phishing sites?

Since I can’t verify the code behind it (because I’m neither a coder nor a security expert), then how can I trust it? I don’t mean to suggest nefarious actions by the developers! But it’s a pretty ripe target for bad actors.

That said, perhaps the URLs cannot be rewritten in this manner. I don’t know enough about it, honestly. But the fact that they can be altered at all is alarming.

1 Like

Microsoft 365 has a service that “rewrites” every link in an email, so that the original link gets “filtered” and verified by Microsoft’s security services.

If (when) clicks on the link, and it is unsafe, Microsoft displays a message, and “denies access” to the unsafe link destination.

Very convenient.

That is valid point. Security and privacy is something that we should be aware and careful of. Especially this software touches the users’ email.

I respect that.

Just to clarify, since the fix for issue #102, MailTrackerBlocker only delete pixel tracker and won’t touch clickable button’s link.
The fix not only handle Dropbox, but all link listed in “list of links often used for tracking” (originally, the author got the list from Hey mail’s list).