Webmail providers (and others) hiding user IPs was the right decision

February 23, 2020

Once upon a time when GMail was new, one of my gripes about it was that, unlike Hotmail and Yahoo and other webmail providers at the time, it didn't add a header to outgoing email that had the original IP that the user submitted the message from. My mail filter systems of the time liked to use that origin IP address information as part of filtering decisions, and GMail lacking it made it harder to selectively deal with spam from them (there has always been spam from GMail).

In the spirit of admitting past mistakes, I was wrong here. Yes, not having that information made my life harder in dealing with GMail spam issues. But the history of people mining every piece of privacy invasive information they can has made it clear that GMail made the right decision overall. Denying other people potentially sensitive information about where particular GMail users are is the right decision for the modern Internet and has been for some time. All webmail providers should be doing the same if they aren't already, and in fact really everyone should be. Where your users submit email from is no one else's business and they shouldn't be allowed to snoop into it, because it reveals potentially sensitive information.

(These days it may be a violation of various privacy regulations to pass this information over to other people by putting it in email headers.)

We used to be pretty decent about this ourselves because all of our email had to be submitted from local networks, including our VPN servers, and so the outside location of our users wasn't revealed (if they were outside and VPN'ing in). These days we have an authenticated SMTP submission server with a standard MTA configuration, which means that it leaks information in the default Received headers, and also a webmail server that adds its own synthetic Received header with IP address information. At some point we should probably deal with both of these issues.

(The authenticated SMTP submission server can drop the IP address from the Received header it generates and just put in the authenticated user and the Exim message ID (which is enough to trace it in our logs and recover that information). As for the webmail system, perhaps it can be configured to leave out that information and only put it into logs or the like.)

PS: If this feels like an obvious thing today, that shows how far things have shifted on the Internet since GMail was originally introduced, or at least how perceptions and understandings have shifted.

Written on 23 February 2020.
« Our (unusual) freedom to use alerts as notifications
The basics of /etc/mailcap on Ubuntu (and Debian) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 23 23:49:05 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.