Chris's Wiki :: blog/spam/HidingUserOriginsRight

Webmail providers (and others) hiding user IPs was the right decision

February 23, 2020

Once upon a time when GMail was new, one of my gripes about it was that, unlike Hotmail and Yahoo and other webmail providers at the time, it didn't add a header to outgoing email that had the original IP that the user submitted the message from. My mail filter systems of the time liked to use that origin IP address information as part of filtering decisions, and GMail lacking it made it harder to selectively deal with spam from them (there has always been spam from GMail).

In the spirit of admitting past mistakes, I was wrong here. Yes, not having that information made my life harder in dealing with GMail spam issues. But the history of people mining every piece of privacy invasive information they can has made it clear that GMail made the right decision overall. Denying other people potentially sensitive information about where particular GMail users are is the right decision for the modern Internet and has been for some time. All webmail providers should be doing the same if they aren't already, and in fact really everyone should be. Where your users submit email from is no one else's business and they shouldn't be allowed to snoop into it, because it reveals potentially sensitive information.

(These days it may be a violation of various privacy regulations to pass this information over to other people by putting it in email headers.)

We used to be pretty decent about this ourselves because all of our email had to be submitted from local networks, including our VPN servers, and so the outside location of our users wasn't revealed (if they were outside and VPN'ing in). These days we have an authenticated SMTP submission server with a standard MTA configuration, which means that it leaks information in the default Received headers, and also a webmail server that adds its own synthetic Received header with IP address information. At some point we should probably deal with both of these issues.

(The authenticated SMTP submission server can drop the IP address from the Received header it generates and just put in the authenticated user and the Exim message ID (which is enough to trace it in our logs and recover that information). As for the webmail system, perhaps it can be configured to leave out that information and only put it into logs or the like.)

PS: If this feels like an obvious thing today, that shows how far things have shifted on the Internet since GMail was originally introduced, or at least how perceptions and understandings have shifted.

Comments on this page:

By Anonymous Germ at 2020-02-24 12:23:47:

Are there any white-papers you can provide that recommend this? At our university I would like to recommend this but some of them are reluctant and think it provide great security as they can micro-manage everyone.

>(These days it may be a violation of various privacy regulations to pass this information over to other people by putting it in email headers.)

Do you mean like GDPR?

By "Bob" at 2020-02-25 01:41:43:

Counterpoint: It's pretty easy for someone nefarious to get someone's IP address, by emailing them a link. Meanwhile there are legitimate reasons to know someone's IP -- for example, to look for logs relevant to a trouble report, or when some doofus asks for a shipping quote without mentioning what country he's in -- and the "privacy conscious" webmail providers (who are so privacy-conscious that all of them are in the targeted advertising business) thwart attempts to get the IP from the email header.

P.S. Ironically enough, the comment form on this very website says "your IP address will be shown with your posted comment."

Written on 23 February 2020.

«	Our (unusual) freedom to use alerts as notifications

The basics of /etc/mailcap on Ubuntu (and Debian) »