Re: [Evolution] evolution discloses private information in an email header.

From: Pete Biggs <pete biggs org uk>
To: evolution-list gnome org
Subject: Re: [Evolution] evolution discloses private information in an email header.
Date: Tue, 15 Jan 2013 09:39:59 +0000

Comparing Message-Id: header sent while connected to yahoo.com via
imap in messages sent by Evolution and Thunderbird I discovered that
Evolution uses @fqdn or just @hostname if fqdn is not available while
Thunderbird always uses @yahoo.com.

I am using Evolution to access multiple email accounts with different
providers and having my own fqdn in every message headers seems just
plain unacceptable. Is there a way to remove my fqdn from Message-Id:
header and use email domain like Thunderbird?


Isn't the hostname you are using exposed through the Received: headers
as well? If so, then surely no extra "private" information is disclosed
by using the hostname in the Message-Id:?

In any case, RFC 2822 has this to say about constructing the Message-Id
header:

   The message identifier (msg-id) itself MUST be a globally unique
   identifier for a message.  The generator of the message identifier
   MUST guarantee that the msg-id is unique.  There are several
   algorithms that can be used to accomplish this.  Since the msg-id has
   a similar syntax to angle-addr (identical except that comments and
   folding white space are not allowed), a good method is to put the
   domain name (or a domain literal IP address) of the host on which the
   message identifier was created on the right hand side of the "@", and
   put a combination of the current absolute date and time along with
   some other currently unique (perhaps sequential) identifier available
   on the system (for example, a process id number) on the left hand
   side.  Using a date on the left hand side and a domain name or domain
   literal on the right hand side makes it possible to guarantee
   uniqueness since no two hosts use the same domain name or IP address
   at the same time.  Though other algorithms will work, it is
   RECOMMENDED that the right hand side contain some domain identifier
   (either of the host itself or otherwise) such that the generator of
   the message identifier can guarantee the uniqueness of the left hand
   side within the scope of that domain.

So, as usual, Evolution is following the recommendations of the RFC.  On
the other hand, if Thunderbird uses @yahoo.com, then there is no
guarantee that the msg-id is unique (unless, of course, they encode your
host address in the header some other way).

To be honest, if you are paranoid about such information leaking about
you, then you need to worry about a lot more than how your MUA
constructs the Message-Id: header.

P.

Follow-Ups:
- Re: [Evolution] evolution discloses private information in an email header.
  - From: Eugene

References:
- [Evolution] evolution discloses private information in an email header.
  - From: Eugene

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]