[julianj]

I don't believe so. I wrote a browser plugin that would ping a time based DNS entry similar to what the article does in order to alarm if someone was inspecting my traffic and show from where. I have seen hits from Singapore and other locations. Sometimes it's a web filtering vendor or other security tools company-- days or weeks later. Sometimes I can't determine who the source is and avoid using that network in the future.

[flas9sd]

can you elaborate on your canary system? I speculate you would need to setup your own DNS. For correlating subsequent inspection, you would need to do some allocation of honeypot addresses in a ip(v6?) prefix and capture that traffic. Logging requests to unique subdomains on a webserver you control would be another quickly built and limited mechanism. Embedding prepared urls in Email comes to my mind as another method of counter reconnaissance on the whole network delivery path. Though you would want to inform the legitimate recipient. Thanks for the ideas.