[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-12-11 03:57:23
On whether IP addresses are useful in Received headers...

This is something that happened to me yesterday:

A customer contacted me to say they'd been blocked by their ISP for sending spam. The ISP was less than helpful. The customer wanted to know if their network or mail server had been compromised in some way.

All they could send me was a bounce message they had received - the (redacted) headers are below:

Received: from (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 7424419CA0549; Sun, 6 Dec 2015 09:42:33 +0000 (GMT)
From:  <catchall(_at_)mycustomer(_dot_)com>
To: <various random people>
Subject: Fw: important message

From that information I could instantly tell that the problem wasn't with the customer's mail server or a compromised PC on their network, but it was probably a compromised ISP password. The IP address was in Vietnam; our customer was in the UK - ergo the message didn't come from our customer.

If the ISP had put a cryptographic blob instead of the IP address, then ONLY the ISP could have identified where the message came from. If they had been willing to do that, they'd have looked at the IP address in the first place and realised what the problem was, rather than accusing our customer of spamming.

If we couldn't work out where the message came from, we may have spent ages virus scanning all our customers' PCs, checking firewalls etc, and still not fixed the problem.

Unfortunately, we see this too often where the ISP either doesn't know how, or can't be bothered, to perform basic forensics on email problems, leaving it up to those of us who do know how and can be bothered. If the information is removed, then that possibility is removed also.

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>