Tracking, Propagation Attacks, and What We Found in Real Email Traffic

A few weeks ago I posted about finding the same per-recipient identifier in three independent places inside a single marketing email -- pixel, click redirects, and technical headers -- and asked what other vectors people had seen. Surveying surfaced some good ones: CSS media queries, hidden data attributes, MIME boundary patterns. I went looking. Here is what I found in real production traffic, and what turned out to be harder to close than expected. 1. CSS Tracking Is Broader Than I Thought The original post focused on <img src=> pixels and click-redirect wrappers. CSS-based tracking is a separate attack surface that image-blocking tools don't touch, and it is more varied than the obvious background-image case. The obvious case (external stylesheet link): <link rel= "stylesheet" href= "https://tracker.esp.com/open/PERRECIPIENTTOKEN.css" > When the email client loads this stylesheet, the sender's server logs the open. The member never sees this. Apple Mail Privacy Protection pre-fetche