Calmail leaks IP addresses!
For regular visitors of my blog from UCB, here’s an early holiday Christmas present to you: Calmail leaks IP addresses! Here’s a quick demonstration (I’ve seen similar headers on emails from friends and colleagues, but I didn’t want to expose their info; I’ve redacted some info here as I didn’t want to expose my … secret email server scheme, or my real username for Calmail):
Return-path: xxxx...@visitor3.berkeley.edu Envelope-to: bkp...@xxxxxx.xxx Delivery-date: Sun, 29 Nov 2009 01:32:12 -0800 Received: from visitor3.berkeley.edu ([128.32.124.159]) by helen.byungkyupark.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <xxxx...@visitor3.berkeley.edu>) id 1NEg8a-0000jX-J7 for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800 Received: from xxxxxxx by visitor3.Berkeley.EDU with local (Exim 4.69) (envelope-from <xxxx...@visitor3.berkeley.edu>) id 1NEg8a-0001rk-4v for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800 Received: from smtp-out1.berkeley.edu ([128.32.61.106]) by visitor3.Berkeley.EDU with esmtp (Exim 4.69) (envelope-from <xxxx...@berkeley.edu>) id 1NEg8a-0001rW-2q for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:12 -0800 Received: from arsenic.calmail ([192.168.1.2] helo=calmail.berkeley.edu) by fe2.calmail with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (auth plain:xxxx...@berkeley.edu) (envelope-from <xxxx...@berkeley.edu>) id 1NEg8T-0000qs-8R for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:06 -0800 MIME-Version: 1.0 Received: from visitor3.Berkeley.EDU [128.32.124.159] with HTTP/1.1 (POST); Sun, 29 Nov 2009 01:32:05 -0800 Date: Sun, 29 Nov 2009 01:32:05 -0800 From: "Byung Kyu Park, BA" <xxxx...@berkeley.edu> To: bkp...@byungkyupark.com Subject: This will demonstrate how Calmail leaks IP addresses Message-ID: <7272...@berkeley.edu> X-Sender: xxxx...@berkeley.edu User-Agent: RoundCube Webmail/0.3-RC1.UCB3 Content-Type: multipart/alternative; boundary="=_ad4b95d1d25a334cada12ae4c3335783" Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" And this email was composed on the RoundCube webmail client. Andrew
You will see that the detailed email header (which most email clients hide, but there is always an option to show full headers) reveals the IP from which I was accessing Calmail’s webmail interface (no, I’m not in the lab right now; but I am proxying through one of my servers, because I consider my current IP address a confidential, personal, private information). Similar headers show if you use SMTP protocol or if you use the other webmail.
I am not entirely sure if this is a feature or bug—embedding IP information in headers will help with legitimate activities of law enforcement authorities, as well as illegitimate (is there any other kind?) squelching of dissenting voices—so I haven’t reported it to abu...@berkeley.edu or, I don’t know, h...@berkeley.edu? secu...@berkeley.edu?
In any case, now that you know, now you can avoid using Calmail—if you value your privacy.
Ironically, GMail may be one of the most secure email system to use, as far as privacy goes, because headers from GMail is fairly clean from any private information. Or, I guess if you are like me, you run a computer server at work, on which you run a bunch of things like websites and email servers so whose IP address isn’t exactly a state secret. You can proxy everything through that server (like I did here) or run your mail clients and what-not on that server.
No matter what you do, just remember: when you send an email through Calmail, you announce to your recipient what your IP address is at that moment. Don’t send that email if you are not comfortable with that.