Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Ted Lemon <> Fri, 04 December 2015 21:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3A8EA1A9028; Fri, 4 Dec 2015 13:10:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4s_m8EH_iITc; Fri, 4 Dec 2015 13:10:19 -0800 (PST)
Received: from ( [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by (Postfix) with ESMTP id B2B6C1A9026; Fri, 4 Dec 2015 13:10:18 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14492634150080.4767314870841801"
From: Ted Lemon <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <p06240403d286acd52687@[]> <> <>
Date: Fri, 04 Dec 2015 21:10:15 +0000
Message-Id: <>
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 21:10:21 -0000

Friday, Dec 4, 2015 3:42 PM Rich Kulawiec wrote:
> 1. Such links are often customized on a per-user per-message basis
> with unique URLs.  Thus *any* hit on that URL from anywhere must
> have come from that user [1] and via that particular message.
> It may not disclose their IP address but it *does* disclose that
> they read the message and when.  This is bad.

Yup.  You have to always fetch, when the mail arrives.   Which could turn into a DDoS attack if you do it for all messages, so not ideal without additional heuristics.   But I don't see any way around those heuristics without simply deleting all URLs from all email messages.

> 2. Proxying means proxy means proxy log means yet another place where
> sensitive information accumulates.  I.e., I don't think it's a good idea
> to attempt to fix this issue by MITM'ing connections.

You already have the whole email message if it's not encrypted, so I don't see that any additional information is leaking here.   But this is still a good point.

> 3. How do you rewrite a link over an encrypted connection?

If you are running the IMAP server, it doesn't matter whether the connection between the user and the server is encrypted.   If you are not, then it's not your problem.

> I'm not arguing that there isn't a massive privacy problem here.
> There is, and I think it's far more worrisome than IP addresses
> in Received lines, because it discloses far more information *and it
> does so in real time*.  I just don't think solving it will be this easy.

Agreed on both counts.

Sent from Whiteout Mail -

My PGP key: