E-mail headers still reveal sender's domain name and IP

General discussion re sg.

E-mail headers still reveal sender's domain name and IP

Postby smallbear » Mon Dec 14, 2009 5:15 pm

I have been trying out spamgourmet and its very empowering.

However, one thing that I note is that if you use the feature for forwarding-on mail from one of your registered spamgourmet addresses, the mail headers still reveal the sender's domain and IP address etc.

I don't want this to sound like a complaint, and in fact it may have been the originator's wish to do this, since it ensures that the sender is still accountable or traceable to some extent. However, I think it needs to be pointed out, in case anyone thinks that their outgoing message is completely anonymous. In fact it isn't anonymous and being able to see the sender's domain name, could provide the persistent spammer with a means of directing mail to 'sales@' or 'administrator@' the user's domain.

Here's an example - note mydomain.com, which was my original hidden sending domain.

[...]
Received: from xxx.xxx.xxx.xxx.adsl.dynamic.myserv.net ([xxx.xxx.xxx.xxx] helo=[192.168.0.xxx])
by svr1.ab.myhost.co.uk with esmtpa (Exim 4.53)
id xxxxxxxxxxxx
for ; Mon, 14 Dec 2009 12:43:02 +0000
Message-ID: <4B2632C6.7080903@mydomain.com>

Date: Mon, 14 Dec 2009 12:42:46 +0000
From: xyz123.4.myaccount@spamgourmet.com
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
[...]
smallbear
 
Posts: 5
Joined: Mon Dec 14, 2009 4:56 pm

Postby whats » Mon Dec 14, 2009 8:01 pm

Funny that you should make that post after me so shortly. We both had the same idea.

Hopefully our voices will be heard. :)
whats
 
Posts: 2
Joined: Sat Dec 12, 2009 6:38 pm

Postby smallbear » Tue Dec 15, 2009 5:42 am

whats wrote:Funny that you should make that post after me so shortly.


I didn't see your post, whats until just now. Yes, you make the point about needing to keep the headers to prevent abuse - if not, spammers might even start using spamgourmet! What a disaster that would be.

I'm not sure what the solution is, but certainly removing the server's name and the sender's domain name.

It is only a problem though in the case of a very enterprising individual to whom you've sent your mail, and who's prepared to open the headers and view the details. I think for those to whom I'm sending mail, typically companies and more especially booking companies who continually spam, they probably aren't ever going to go that far - they'll just merrily add my spamgourmet address to their database.

A better solution, for the time being, is to just sign up for a temporary Yahoo or Hotmail address. That of course has no link to one's temporary address.
smallbear
 
Posts: 5
Joined: Mon Dec 14, 2009 4:56 pm

Postby josh » Sat Dec 19, 2009 3:26 pm

yes - sg is not an anonymizer - we don't disturb headers because:

a) it's actually unlawful in some jurisdictions,

b) we certainly only mean to operate an anti-spam service, not an anonymizing service (not that there's anything wrong with anonymizing services - they just need a lot more care and feeding); and

c) we can't afford to get sucked into litigation or other types of investigations, and I have to believe that would happen from time to time if we modded the headers.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby lwc » Sun Dec 20, 2009 12:08 am

Josh, that's finally what I wanted to hear! Please stand up behind that statement by providing an on/off option (with hopefully an off default) for the other anonymizing issue.
Last edited by lwc on Wed Nov 07, 2018 7:38 pm, edited 1 time in total.
lwc
 
Posts: 455
Joined: Sat Aug 28, 2004 9:09 am

Postby smallbear » Sun Dec 20, 2009 7:15 pm

josh wrote:we certainly only mean to operate an anti-spam service, not an anonymizing service


I'm not necessarily expecting Spamgourmet to make messages anonymous. But at the moment, the domain name in the messages can be viewed and the anti-spam feature thus rendered partly useless.

If you take my original example below, the string saying *mydomain.com* showed my personal domain name, and this can be conjoined with 'sales@' and 'administrator@'. I don't think that's very helpful at all. I don't feel that I'm being protected very much.

Message-ID: <4B2632C6.7080903@mydomain.com>

It's ok if you're using a widely-used e-mail service like Hotmail or Yahoo, but I don't want to use those.

I don't entirely agree with the legal arguments, and by way of example gmail did not show a sender's IP address, at least not back in 2008 when I was trying it.

A switchable-anonymous service would be best, and then you should be able to cover Spamgourmet from a legal standpoint, by stating clearly to users that if they 'tick' that option, they are taking responsibility for this themselves, and indemnifying you. I think to be truthful, if it isn't possible to get around this, then it has to be made clear that the system has this issue and new users should be made aware of it.

Alternatively, remove the sender's domain name, but not the IP address.
smallbear
 
Posts: 5
Joined: Mon Dec 14, 2009 4:56 pm

Postby whats » Sun Dec 20, 2009 8:15 pm

smallbear wrote:Alternatively, remove the sender's domain name, but not the IP address.


I'd be okay with that solution.



To throw in another similar service called sneakemail who do infact not send any of those headers.
Does that mean you become open to abuse? No, not if you take precautionary measures. I am not sure how many complaints you receive for people abusing the service today and if it'd make such a great difference if we would strip the headers and maybe replace them with a unique message ID which could be traced back to you, but just spamgourmet can decode the number.


Only important part is that to any normal person your true mail address remains secret.




Below my original post I deleted from the support forum by lwc's request (Sat Dec 12)
Just to clarify, the reason to use that feature would usually be to hide your true email in order to not get spammed and/or lose control over who has your private mail address. At least that's my reason.

Now the only problem is that the Spamgourmet server doesn't strip out the "received" headers thus revealing all information about where the message came from. I would understand that we have to retain some kind of information to prevent abuse and a compromise could be to keep the senders IP (not the mail server) but strip out any mail addresses.

If we can't do that it's pretty much the same as sending the mail without the Spamgourmet step in between.




Anyway, thanks for running this service and I will stick to it no matter if we see any changes with the headers or not.
whats
 
Posts: 2
Joined: Sat Dec 12, 2009 6:38 pm

Re: E-mail headers still reveal sender's domain name and IP

Postby gourmet » Mon Dec 21, 2009 7:16 am

smallbear wrote:However, one thing that I note is that if you use the feature for forwarding-on mail from one of your registered spamgourmet addresses, the mail headers still reveal the sender's domain and IP address etc.


Use trashmail.net it doesn't leak that info. Admin fixed that leak immediately when I reported if first time.
gourmet
 
Posts: 124
Joined: Thu Mar 27, 2008 4:46 pm

Postby lwc » Mon Dec 21, 2009 8:55 am

Yes,
TrashMail wrote:host name, domain name and IP addresses will also replaced by localhost, localdomain and the IP address 127.0.0.1

However:
Remember: This is not an anonymous mail service. This service is subject to the german law of telecommunications data retention.


Besides, each address is limited by count and time (both require a yearly fee to be unlimited), but not by exclusive senders.
lwc
 
Posts: 455
Joined: Sat Aug 28, 2004 9:09 am

Postby MFPA » Thu Feb 25, 2010 1:53 am

smallbear wrote:If you take my original example below, the string saying *mydomain.com* showed my personal domain name, and this can be conjoined with 'sales@' and 'administrator@'. I don't think that's very helpful at all. I don't feel that I'm being protected very much.

Message-ID: <4B2632C6.7080903@mydomain.com>

It's ok if you're using a widely-used e-mail service like Hotmail or Yahoo, but I don't want to use those.


In many email applications the message-id does not have to include the domain of your email address. The RFCs require use of a "fully qulaified domain name" which you either control or have permission to use (or something like that) but it doesn't cause an issue in my experience if you ignore that.

smallbear wrote:by way of example gmail did not show a sender's IP address, at least not back in 2008 when I was trying it.


Were you using it via the web interface, or by SMTP? I think if you use a web interface the headers are less likely to show your IP address.


smallbear wrote:A switchable-anonymous service would be best, and then you should be able to cover Spamgourmet from a legal standpoint, by stating clearly to users that if they 'tick' that option, they are taking responsibility for this themselves, and indemnifying you.


If you provide somebody with the means to do something illegal, some jurisdictions have offences related to "aiding and abetting" or similar. By having such a tickbox, you could not plausibly deny that you knew you were guilty of this.

smallbear wrote:I think to be truthful, if it isn't possible to get around this, then it has to be made clear that the system has this issue and new users should be made aware of it.


I thought the site clearly said SG was not an anonymiser, but I can't find it now.
MFPA
 
Posts: 6
Joined: Tue Feb 23, 2010 1:36 pm

Postby josh » Sat Feb 27, 2010 5:12 am

smallbear wrote:I don't entirely agree with the legal arguments, and by way of example gmail did not show a sender's IP address, at least not back in 2008 when I was trying it.


Here's one (emphasis added):

Okla. Stat. Ann., Title 15
?776.1. Fraudulent Electronic Mail; Penalty
A. It shall be unlawful for a person to initiate an electronic mail message that the sender knows, or has reason to know:
A.1. Misrepresents any information in identifying the point of origin or the transmission path of the electronic mail message; A.2. Does not contain information identifying the point of origin or the transmission path of the electronic mail message;
A.3. Contains false, malicious, or misleading information which purposely or negligently injures a person; A.4. Falsely represents that it is being sent by a legitimate online business; A.5. Refers or links the recipient of the message to a web page that is represented as being associated with a legitimate online business with the intent to engage in conduct involving the fraudulent use or possession of identifying information; or
A.6. Directly or indirectly induces, requests, or solicits the recipient of the electronic mail message to provide identifying information for a purpose the recipient believes is legitimate.
B. Any person violating the provisions of this section shall be subject to a civil penalty of up to $500.
C. All acts and practices declared to be unlawful by subsections (A) and (E) of this section shall, in addition, be violations of the Oklahoma Consumer Protection Act.
D. For purposes of this section, an electronic mail message which is declared to be unlawful by subsection (A) of this section shall be considered a fraudulent electronic mail message or a fraudulent bulk electronic mail message.

- arguably prempted by Can Spam as expressed in the frequently criticized Omega World Travel Inc. v. Mummagraphics Inc., but they taught me law school that you have to interpret these decisions narrowly, and the facts in that case were different from what we'd be looking at here.

I've been very careful never to represent spamgourmet as an anonymizing service. I'm quite sure I would have shut it down long ago if it was changing the headers.

If one of you all wants to set up a server to provide an anonymizer, I'll tell you how to modify the code to do it - just be sure to set aside some time on your calender to work intimately with the FBI, homeland security, the German police, et al.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: E-mail headers still reveal sender's domain name and IP

Postby unitacx » Thu Jun 13, 2013 2:26 pm

smallbear wrote:Here's an example - note mydomain.com, which was my original hidden sending domain.
[...]
Received: from ...
id xxxxxxxxxxxx


It seems that someone could use the header information to discover an email address, but that wouldn't make one vulnerable to spambots or even manual large-scale harvesting. That leaves individuals collecting addresses for spam harvesting purposes (e.g., an aggressive salesperson, the kind with a notepad full of excuses), but it is highly unlikely that those people will even understand the meaning of headers that do not look like email addresses.

That leaves real people or people wondering who the actual sender is. Blocking those people is anonymizer territory.
unitacx
 
Posts: 10
Joined: Tue Jul 31, 2007 11:14 pm
Location: n. virginia


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 18 guests