ietf
[Top] [All Lists]

Re: SMTP RFC: "MUST NOT" change or delete Received header

2014-03-29 09:59:43
What do people today think of the SMTP RFC's current requirement that
mail programs and servers must not under any circumstances change or
delete Received: headers? Is exposing sender IP addresses to any
attacker who can view e-mail headers, for the purposes of preserving
trace information, really worth it when weighed against considerations
like security and privacy?

The headers are useful for debugging, particularly for things like
forwarding loops.  Particularly on public webmail systems, it lets you
see where spam is coming from, and offers the possibility of alerting
the originating operator if you think they'll care.  Gmail is notable
in redacting this from some (not all) of their outgoing mail.

What sorts of attacks do you think are enabled by allowing mail
recipients to see the headers?

<Prev in Thread] Current Thread [Next in Thread>