Tuesday, February 12, 2008

The leakiness of web mail

Many people seem to use web mail systems like Hotmail or Yahoo! Mail as a way of providing anonymity. This is a mistake because all these systems leak the IP address of the machine the user is typing on!

Hotmail

Here are part of the headers of a message that a family member sent me from their Hotmail account:

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Received: from 134.151.225.153 by lw14fd.law14.hotmail.msn.com with HTTP;
X-Originating-IP: [134.151.225.153]

This leaks that original IP address (134.151.225.153) twice: once in an X-Originating-IP header and once in the first Received header which indicates that it was received from the same IP address using HTTP (i.e. using the web). A quick lookup shows that that IP address is in Birmingham, UK (which I happen to know is correct). So, if they were trying to keep their location secret, they've failed.

A whois lookup on that IP address tells me even more information, including that fact that is belongs to an Aston University. So, it's easy to conclude that this family member was student or staff at that university.

Yahoo! Mail

Yahoo! Mail leaks in a similar way. Here are part of the headers of a message I received from someone with what looks like a random email address and no name:

Received: from [193.95.59.139] by web25709.mail.ukl.yahoo.com via HTTP;

Geo locating that IP address shows me that the writer is in Tunisia.

Another Yahoo! Mail leak from an old colleague in California let's me track down their home city from their DSL line.

Received: from [67.102.112.112] by web14204.mail.yahoo.com via HTTP;

AOL Mail

Here are some headers from a message sent from an AOL web mail account that reveal that the sender is in Germany and looks like it gives away the name of the company that they are working for in the DNS name of the machine:

X-MB-Message-Source: WebUI
X-AOL-IP: 62.128.31.9

The X-AOL-IP gives the IP address of the machine that generated the message (i.e. where the web browser is running) and the helpful X-MB-Message_Source tells us they are using the web interface.

Earthlink

Here's an email I received from the editor of Wired who was using Earthlink:

Nice one! When I get off dialup from the French countryside, I'll blog
that...

Was he really in France?

X-Originating-IP: 213.11.198.147

Yes

Others

A search of my own email showed me that X-Originating-IP is a popular leak point (used by Inbox.com, kth.se, Network Solutions, MSN.com and others).

Google Mail and Hushmail

Neither Google Mail nor Hushmail appear to leak the IP address. They may include the IP address (for example, in the Message-ID) but it does not appear to be readily discoverable.

2 comments:

Michael said...

In my day job of diagnosing email-related problems I find the easy availability of the source-IP quite a handy reference point for narrowing down certain problems (i.e such as tracking the origin of a spam message).

It's still an important issue, though. The validity of whether GMail and Hushmail are onto a Good Thing by not including the originating IP in clear-text is open to debate. The releavant RFCs stipulate that the originator of the message should be identifiable, but they were also written before the huge popularity of webmail.

Besides, there are a ton of other ways to discover this kind of information. When you look at the way a lot of the Internet works, you soon realise that your computer is effectively using a loud-hailer to announce your presence and location simply because it broadcasts the IP address in practically every header it sends (HTTP, SMTP, etc).

J.D. said...

When you send a message using Outlook or Thunderbird or any other desktop client, your IP address is (in most cases) revealed in the headers. As I see it, the webmail services are simply continuing that existing practice.

Real anonymity requires effort.