stolen is a privacy problem, this is not a simple question, and any
simple answer is wrong.
Agreed. I'm merely concerned that if we can't come up with a solution
to having someone's bank account credentials stolen, we shouldn't stall
attempting to resolve smaller problems that we can identify, such as a
privacy violation in the Received header.
I hope you agree with the part where I said that any simple answer is
wrong.
On my system, most real mail comes from the three gorillas, from ISPs such
as T-W and Comcast, and from local schools or businesses. Since we are
weenies, a certain amount comes through mailing lists. In every one of
those cases, the IP address in the received header is the address of the
server at the mail system, the institution, or the mailing list. It tells
you nothing you didn't already know if you looked at the bounce address in
the SMTP envelope, or the From: or List-ID: in the message body.
The spam mostly comes from compromised servers and botnets, where the IP
tells you who the legitmate operator is (not the botnet operator) and
indirectly where to send abuse reports. Since that mail isn't sent by the
party legitimately associated with the IP, and the only place the mail
goes is back to the operator in a spam report, it's hard to see any
privacy issues there, either.
If you were talking about Received headers added in submission rather than
SMTP, there are plausible PII issues, but there you will find that as
often than not the sending MTA already obscures the location of the user,
particularly when messages are submitted via webmail. On the other hand,
for abuse management it's essential that it be there in some form so the
sending system can figure out which of its users is misbehaving or has
been compromised.
So I think it is fine to look at the issues and see where we might make
improvements, but it is a bad idea to rush to naive changes that don't
address real privacy issues but do cause real problems for operations and
security.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
