Digitally signed (S/MIME) replies will divulge true e-mail

Use this forum to get help.

Digitally signed (S/MIME) replies will divulge true e-mail

Postby VanguardLH » Tue Oct 02, 2012 12:24 am

Digitally signed e-mails as replies to Spamgourmet aliased e-mail will divulge true e-mail address

My e-mail client (Outlook 2003) is configured to digitally sign my outbound e-mails. This is a global option. The client does not have the option to individually configure which accounts will, by default, use S/MIME to digitally sign e-mails through those accounts. It's all or nothing. If all, you have to jump through hoops to change the security settings on an individual e-mail to remove the digital signature. If nothing, you have to jump through hoops to add a digital signature to an e-mail sent through that account.

When I receive an e-mail through an alias at Spamgourmet, a reply will include my digital signature (because I configured Outlook to digitally sign outbound e-mails which is a global setting across all accounts defined within Outlook). Spamgourmet does not strip out the S/MIME encoding for the digital signature and does not strip out the S/MIME header (Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_<partID>"). Despite my reply going back through Spamgourmet to supposedly hide my true e-mail address where I received the aliased e-mail and through which I submit my reply (with it going to Spamgourmet), the digital signature remains affixed to that reply e-mail. Of course, since Spamgourmet had modified my reply e-mail, the recipient will see a corrupted digitally signed e-mail (and this prompts them even more to look at the cert attached to that e-mail). This means anyone using a Spamgourmet alias to contact me will see my true e-mail address in my reply despite going through Spamgourmet because of the digital signature that was left attached when forwarded through Spamgourmet.

My only choice is to delete the e-mail cert from my Windows certificate store so it is not available for that particular e-mail account (the one to which Spamgourmet forwards aliased e-mails). Then, although I have Outlook configured to digitally sign all outbound e-mails, there won't be a cert to use on the account to which Spamgourmet aliased e-mails are sent; i.e., that account won't have a cert to add so it cannot be attached to replies to those aliased e-mails.

Please consider stripping the S/MIME part in the body of the e-mail along with the S/MIME header so replies sent back through Spamgourmet are not digitally signed anymore (and to eliminate recipients getting warnings about invalid certs on reply e-mails forwarded through Spamgourmet).


Replies sent back through Spamgourmet still divulge source domain

In addition, I thought replies to e-mails aliased through Spamgourmet (which would get sent back through Spamgourmet) would be stripped of the trace headers, like Received. I thought Spamgourmet would make itself look like it was the source of the e-mail. While the Received headers may not (but can) divulge the sender's true e-mail address, they do divulge the domain from whence the reply e-mail was sourced. For example, when sending a test e-mail to myself through a Spamgourmet alias and then replying to it (which has the reply go back through Spamgourmet), I'll see the following Received headers in that reply the recipient receives:

Code: Select all
Received:
  from <recipientserver1> (LHLO <recipientserver1>) (<recipientserver1IPaddr>)
  by <recipientserver2>
Received:
  from gourmet8.spamgourmet.com ([216.75.62.102])
  by <recipientserver1>
Received:
  from spamgourmet by gourmet7.spamgourmet.com
Received:
  from <myISPserver2> ([<myISPserver2IPaddr])
  by gourmet7.spamgourmet.com
Received:
  from <myISPserver1> ([<myISPserver1IPaddr>])
  by <myISPserver2>
Received:
  from <myhostname> ([<myIPaddress>])
  by <myISPserver1>


The first (bottomost) three Received lines should not appear if Spamgourmet made the reply look like it was sourced from Spamgourmet. Instead the recipient can see the reply e-mail through Spamgourmet was actually sourced from myhostname at myIPaddress from myISPserver1. Perhaps I'm mistaken and Spamgourmet's intent is not to hide the source of a reply e-mail but only to hide the source e-mail address.
VanguardLH
 
Posts: 48
Joined: Sun Oct 11, 2009 10:01 pm

Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 6 guests

cron