On whether IP addresses are useful in Received headers...
This is something that happened to me yesterday:
A customer contacted me to say they'd been blocked by their ISP for
sending spam. The ISP was less than helpful. The customer wanted to know
if their network or mail server had been compromised in some way.
All they could send me was a bounce message they had received - the
(redacted) headers are below:
Received: from zdku.org (unknown [18.104.22.168]) (using TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) by mx4.customers-isp.net (Postfix) with ESMTP id
7424419CA0549; Sun, 6 Dec 2015 09:42:33 +0000 (GMT)
To: <various random people>
Subject: Fw: important message
From that information I could instantly tell that the problem wasn't
with the customer's mail server or a compromised PC on their network,
but it was probably a compromised ISP password. The IP address was in
Vietnam; our customer was in the UK - ergo the message didn't come from
If the ISP had put a cryptographic blob instead of the IP address, then
ONLY the ISP could have identified where the message came from. If they
had been willing to do that, they'd have looked at the IP address in the
first place and realised what the problem was, rather than accusing our
customer of spamming.
If we couldn't work out where the message came from, we may have spent
ages virus scanning all our customers' PCs, checking firewalls etc, and
still not fixed the problem.
Unfortunately, we see this too often where the ISP either doesn't know
how, or can't be bothered, to perform basic forensics on email problems,
leaving it up to those of us who do know how and can be bothered. If the
information is removed, then that possibility is removed also.
ietf-smtp mailing list