Return-path: xxxx...@visitor3.berkeley.edu
Envelope-to: bkp...@xxxxxx.xxx
Delivery-date: Sun, 29 Nov 2009 01:32:12 -0800
Received: from visitor3.berkeley.edu ([128.32.124.159])
        by helen.byungkyupark.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0000jX-J7
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from xxxxxxx by visitor3.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0001rk-4v
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from smtp-out1.berkeley.edu ([128.32.61.106])
        by visitor3.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8a-0001rW-2q
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:12 -0800
Received: from arsenic.calmail ([192.168.1.2] helo=calmail.berkeley.edu)
        by fe2.calmail with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (auth plain:xxxx...@berkeley.edu)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8T-0000qs-8R
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:06 -0800
MIME-Version: 1.0
Received: from visitor3.Berkeley.EDU [128.32.124.159]
        with HTTP/1.1 (POST); Sun, 29 Nov 2009 01:32:05 -0800
Date: Sun, 29 Nov 2009 01:32:05 -0800
From: "Byung Kyu Park, BA" <xxxx...@berkeley.edu>
To: bkp...@byungkyupark.com
Subject: This will demonstrate how Calmail leaks IP addresses
Message-ID: <7272...@berkeley.edu>
X-Sender: xxxx...@berkeley.edu
User-Agent: RoundCube Webmail/0.3-RC1.UCB3
Content-Type: multipart/alternative;
        boundary="=_ad4b95d1d25a334cada12ae4c3335783"

Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

And this email was composed on the RoundCube webmail client.

Andrew

You will see that the detailed email header (which most email clients hide, but there is always an option to show full headers) reveals the IP from which I was accessing Calmail’s webmail interface (no, I’m not in the lab right now; but I am proxying through one of my servers, because I consider my current IP address a confidential, personal, private information). Similar headers show if you use SMTP protocol or if you use the other webmail.

I am not entirely sure if this is a feature or bug—embedding IP information in headers will help with legitimate activities of law enforcement authorities, as well as illegitimate (is there any other kind?) squelching of dissenting voices—so I haven’t reported it to abu...@berkeley.edu or, I don’t know, h...@berkeley.edu? secu...@berkeley.edu?

In any case, now that you know, now you can avoid using Calmail—if you value your privacy.

Ironically, GMail may be one of the most secure email system to use, as far as privacy goes, because headers from GMail is fairly clean from any private information. Or, I guess if you are like me, you run a computer server at work, on which you run a bunch of things like websites and email servers so whose IP address isn’t exactly a state secret. You can proxy everything through that server (like I did here) or run your mail clients and what-not on that server.

No matter what you do, just remember: when you send an email through Calmail, you announce to your recipient what your IP address is at that moment. Don’t send that email if you are not comfortable with that.