Re: [Evolution] Bug 738247 - unwanted information disclosure in message headers

From: Pete Biggs <pete biggs org uk>
To: evolution-list gnome org
Subject: Re: [Evolution] Bug 738247 - unwanted information disclosure in message headers
Date: Tue, 10 Oct 2017 17:59:11 +0100


Anyway, I would like to ask other evolution-list members to join the
bug [2] and express their opinion there, if they have any, want to and
can. I agree with Josh that the local machine name exposure is not
always expected, even just in the tracking headers, which can be used
to search for spammers (yes, I did use that information to track such
people in the past), but I also do not want to change the Camel SMTP
behavior in a wrong way. I also made a suggestion in the bug for kind
of a workaround, when to use the resolved name and when not (long story
short: the resolved name has less than two dots => do not use it),
which can satisfy both the RFC recommendations and the bug request in
most cases, I believe. To believe is not enough here, that's why I want
your help.


Two things I note about this. First, the bug saw no activity for 3
years, there are no dupes and no supporting comments. It's not the big
issue that the OP seems to think it is and I worry about doing
something because someone was shouting loud about it.

Second, the statement in the bug of "actual host name must not be used
in helo" is actually wrong, the RFC states that it should be used.
(should, not must)

I personally wouldn't be excessively worried either way (which is why I
don't really want to comment on the bug) but would err on the side of
leaving things as they are - it just looks less spammy. (spamassassin
tests for lots of issues with the HELO string - one of them is for a
"bare IP" address, another for "numeric HELO".)

The OP did say that it was an issue of leaking information about, say,
his work environment when replying to private mail through gmail. With
my admin hat on, I would say that if it is an issue for you or your
work, then you shouldn't be using a work machine at all.

P.

ps a workaround I've just thought is to use sendmail on the local
machine, not SMTP. sendmail / postfix / exim / whatever are much more
configurable in what they send and I suspect that that is the proper
place for the adjustments to be made.

Follow-Ups:
- Re: [Evolution] Bug 738247 - unwanted information disclosure in message headers
  - From: Milan Crha

References:
- Re: [Evolution] Bug 738247 - unwanted information disclosure in message headers
  - From: Milan Crha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]