Re: SMTP RFC: "MUST NOT" change or delete Received header
"John Levine" <johnl@taugh.com> Sat, 29 March 2014 14:59 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49C381A0642 for <ietf@ietfa.amsl.com>; Sat, 29 Mar 2014 07:59:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.137
X-Spam-Level:
X-Spam-Status: No, score=-1.137 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uea_6xt54KS5 for <ietf@ietfa.amsl.com>; Sat, 29 Mar 2014 07:59:29 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0280B1A0549 for <ietf@ietf.org>; Sat, 29 Mar 2014 07:59:28 -0700 (PDT)
Received: (qmail 268 invoked from network); 29 Mar 2014 14:59:26 -0000
Received: from miucha.iecc.com (64.57.183.18) by mail1.iecc.com with QMQP; 29 Mar 2014 14:59:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=5336dfcd.xn--hew.k1403; i=johnl@user.iecc.com; bh=5+MzoTFoKpYWIjuhQn2jado/rhehXyiyVWAZhDtwkv8=; b=g5znZ1hez0bDxPBp+NswLhbXu31nToEqpbtjlLFUJMwCPks0dpRMGWpWM+5+XksbSOG8hUZBsi+ALLfF70FkRLsC+evsjdicYBrnd5t9XYERAXjk27OT8Ah7055GguX1AEzbUJBsgRpIR4Mv9VspX499nfr6KbkLgFauNZ1pbcCDxa50XBUsYrgOlv47MyDNNo7njoN2VPUa9ySBfnKroFAsD0RUtFe8TahUjm+fED8P96UdRmFNcJ1zPoeBtERE
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=5336dfcd.xn--hew.k1403; bh=5+MzoTFoKpYWIjuhQn2jado/rhehXyiyVWAZhDtwkv8=; b=XoONNSQ2kC4gpNi78AVnytsasuxHIEXZ+WZLrbdD8V13OJ1Wm0+BDqL5450P1KDW3977ZUEvj7ngNrNNkOwr7TmmA2ZTwg+n/R5m/8JTu/EsuSEFp5IhWZzNf008bfnG6OABANcXKYw3FOfAdf0W3zYE87jH2rfZMwZgmnTAWLT0k3ONOUhJ4dNHOKe1Vgcsr6OY+fDwh440fhCxM0bbBAFU666GMVEHaObD24Av1kCEWdzW2j3BegovlKPEZhwO
Date: Sat, 29 Mar 2014 14:59:03 -0000
Message-ID: <20140329145903.39132.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: SMTP RFC: "MUST NOT" change or delete Received header
In-Reply-To: <53366F34.8050501@ageispolis.net>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/wQ8B5D6AJAhvnT6UdvRurrl52E8
Cc: kevin@ageispolis.net
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2014 14:59:30 -0000
>What do people today think of the SMTP RFC's current requirement that >mail programs and servers must not under any circumstances change or >delete Received: headers? Is exposing sender IP addresses to any >attacker who can view e-mail headers, for the purposes of preserving >trace information, really worth it when weighed against considerations >like security and privacy? The headers are useful for debugging, particularly for things like forwarding loops. Particularly on public webmail systems, it lets you see where spam is coming from, and offers the possibility of alerting the originating operator if you think they'll care. Gmail is notable in redacting this from some (not all) of their outgoing mail. What sorts of attacks do you think are enabled by allowing mail recipients to see the headers?
- SMTP RFC: "MUST NOT" change or delete Received he… Kevin M. Gallagher
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Randy Bush
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dave Cridland
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Eliot Lear
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Ted Lemon
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dave Aronson
- Re: SMTP RFC: "MUST NOT" change or delete Receive… David Morris
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John Levine
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dale R. Worley
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dave Crocker
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Scott Brim
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Hector Santos
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Hector Santos
- Re: SMTP RFC: "MUST NOT" change or delete Receive… David Morris
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Ted Lemon
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John Levine
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dick Franks
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Hector Santos
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Hector Santos
- RE: SMTP RFC: "MUST NOT" change or delete Receive… Christian Huitema
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Phillip Hallam-Baker
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John Levine
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John C Klensin
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Phillip Hallam-Baker
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John C Klensin
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Randy Bush
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Randy Bush
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Ted Lemon
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John Levine
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John Levine
- Re[2]: SMTP RFC: "MUST NOT" change or delete Rece… mohammed serrhini
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dave Crocker
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John C Klensin
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Dave Cridland
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Hector Santos
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Michael Richardson
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John C Klensin
- Re: SMTP RFC: "MUST NOT" change or delete Receive… John C Klensin
- Mail System Reliability [was: Re: SMTP RFC: "MUST… Hector Santos
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Phillip Hallam-Baker
- Re: SMTP RFC: "MUST NOT" change or delete Receive… Murray S. Kucherawy