
Show HN: Test your E-Mail for IP Leaks - rasengan
http://emailipleaktest.com
======
andreaso
You know, IPv6...

I'm getting a false "Your email has been received and it doesn't leak your
IP", due to the fact that the web site is only available using IPv4 while I'm
connecting to my SMTP server over IPv6. As long as the website only captures
IPv4 addresses it really might need to display an inconclusive result in the
presence of IPv6 received headers.

Oh, and when the web site do become IPv6 reachable you probably will want to
make an explicit attempt to also catch a potential IPv4 address, in the case
situation above is the reverse.

~~~
alextingle
Me too.

------
tedunangst
Random note: if you use a regular client (such as desktop, but also including
the client on your phone), you are almost certainly leaking your IP. gmail,
for instance, won't include your IP when using the webmail interface, but
every message sent via SMTP will.

~~~
ancarda
Actually it seems the Gmail interface does the same (at-least Google Apps).

    
    
        Header: X-Originating-IP: [my-ip-address]

~~~
pasbesoin
I'm not seeing this ATM, using the non-Google Apps Gmail interface from the
U.S. (and sending, as it happens, to a "foreign" address).

Can anyone provide additional input into whether and when the Gmail web
interface may be (and when not) inserting this header? Perhaps it's just in
the Google Apps context?

------
skrebbel
Pardon my ignorance, but I don't get it. Why is it a problem whether email
leaks IP addresses?

After all, anytime I visit a web site I "leak" my IP address. Is that also a
problem?

~~~
psc
For most people, it's really not a problem. But here's a fun example I
recently came across.

I'm looking for an apartment in SF, and I stumble across a few places that
seem too good to be true. Pretty sure they're spam, but out of curiosity, I go
ahead and email. (Plus the way to make life difficult for spammers is to give
them a lot of false positives, playing along for as long as possible, wasting
their time, but unfortunately yours too.) The response I get back is clearly a
scam—the "pay $200 deposit to schedule a tour" kind of scam. I get a few more
emails, pressing me to pay the "deposit." Out of curiosity, I check the email
headers. The sender is using Yahoo, and the IP address is being leaked. I do a
geo IP lookup, and it turns out the IP is from Ghana.

Naturally, I enter the IP in my browser, and guess what shows up? An
authentication dialog for the "EchoLife Home Gateway." Sure enough, entering
"admin" for both username and password works fine (first try too), and here I
am, connected to some scammer's router, halfway across the globe.

What's more, the router connects to the ISP using PPPoE, so the username for
the account is visible in the PPPoE config. And the password is hidden under a
password field, but it's being loaded by some sketchy javascript (you know how
router software is). Pretty trivial to check out the DOM and find a plaintext
password. Next time I'm in Ghana, I get free DSL! Did I mention that the
username for the PPPoE account was clearly an actual name? A bit of google-fu
and I know quite a bit about the guy who tried to scam me. Turns out it's no
secret he's a scammer—in his early days it looked like he'd been using his
actual name to run scams, so there were a ton of postings on scam reporting
sites.

I stopped there because, as fun as it was, this was just an exercise of
intellectual curiosity, I never had the intention of breaking stuff. As much
as a scammer might deserve it, vigilantism isn't really the way to do it. I
just reported the email to Yahoo/Google and moved on. I doubt there was much
anyone could do to stop the guy from scamming anyway. But there's a lot you
can do with an open router if you want to harm someone, and that's an
understatement. All it would take is something as simple as setting up a VPN
connection (I don't think the router I was dealing with actually supported
VPN, but I'm sure you could do something malicious, like port forwarding to
netbios)

The moral of this should be pretty clear; if you're a scammer don't leak your
IP. Also don't use default passwords for routers. Clearly that was the bigger
issue here, but how many average people do you think use default passwords? At
least if their IP is hidden, there's an extra layer of obscurity. Not a great
one, but better than nothing.

~~~
jdmt
Thanks for sharing. This was an awesome read. I'm surprised the router allowed
external connections to access the internal configuration. However, some older
routers are pretty poorly designed from a security standpoint.

------
nisa
If you run your own SMTP server and want to anonymize your E-Mail e.g. for
mailing lists or whatever it's not that complicated:
[https://we.riseup.net/riseuplabs+paow/mail](https://we.riseup.net/riseuplabs+paow/mail)

------
sfrechtling
I first interpreted this as "intellectual property" leaks.

~~~
lstamour
Same. I was rather confused. :)

------
spindritf
Neat idea but I (and like 1% of the Internet population so it's clearly of
utmost importance!) connect to GMail over IPv6 so you won't catch that even if
they leak.

On a related note, I run an exim server and it adds

    
    
        Received: from my_unix_username by my.server.hostname with local (Exim 4.80)
    

to the headers when I send mail directly from the server with mutt. Is there
any reason to hide it? Or not to remove it?

------
lucb1e
> You are connecting from IPv4 address: --

Ha! Another site that thinks the x-forwarded-for header is real when it
contains only stuff that triggers SQL injections.

Edit:

> The email you've sent has leaked your ip! The IP on your email was
> 83.161.210.237

No shit, that's the mailserver's IP. Who says it was actually sent from that
IP? The headers it cites are merely listing "received from $mailserver
($reversedns [$ip])", not my client's IP address.

------
jey
Is this a site that is trying to (inefficiently) harvest IPs <-> emails? :P

~~~
X4
Same feel: Copyright (C) 2013 London Trust Media, Inc.

Immediately lost my "Trust".

Added to that, knowing how persuasive and creepily mad London politics is
about evading privacy is (even more than the US), this being a blatant double
agent maneuver, wouldn't even surprise me. Maybe some now suspect journalist,
who thinks, he needs to hide traces would jump into the trap. So this would
reduce the IP's to those people, who feel like they need to hide something.
Everybody else already knows that this info can be easily found out by sending
an email to yourself. It's obvious that gmail doesn't need your IP, they have
your social profile and all you web-habits recorded actively (services) and
passively (adsense)

In the other case that this is legitimate company not serving as a shell
company, not trying to collect IP's or E-Mail addresses. I'm sorry for
spreading paranoia, to those who are sensible about it.

~~~
reidrac
They're behind a VPN service:
[https://www.privateinternetaccess.com/](https://www.privateinternetaccess.com/)

They may know a couple of things about privacy, reputation and trust. I
believe they need all three to operate their business, so I would be surprised
if they were doing anything fishy when they're disclosing their name.

~~~
X4
I don't know and I can't tell that, so you may be totally right. However, it
left a bad aftertaste on me, when I heard that prominent hackers were busted,
because their VPN provider outed them.

------
racbart
Protip: If you use paid email, ask your email provider how to hide your IP
while sending via SMTP. I asked mine and it turned out that they run a
separate SMTP port which you can use and then your IP won't be included in
message headers. This is a fairly popular provider, but I won't mention their
name as they don't advertise this feature and provide it on request.

~~~
batuhanicoz
Why don't they advertise this?

Little "dig"ging showed who your provider is, and Google gives me no results
on this feature. Also read related docs too, nothing. Wonder why.

~~~
racbart
Yup, my provider is quite easy to find, I don't mind. I just didn't want to
make this info to be googleable with their name, to respect that they never
publicly wrote about it.

No idea why they don't advertise this feature. They wrote that they only tell
about it to people that are actually having a problem about it. I guess it
might be easier for them or for other email-ops to handle abuse/spam issues
when this header is available?

------
pallandt
I just tested this out of curiosity to see if it showed me anything else other
than what I could already easily find out by myself via just sending myself an
email and looking at the headers.

It doesn't. What's the purpose then? Is it for people that don't know how to
interpret email headers and instead want a simple yes/no answer?

~~~
3825
I would like to imagine this is more for awareness. Why would exchange server
want to include x-originating-ip? Is it for validation and authentication? Do
we not trust people who have obviously have authenticated as people with the
privilege to send emails from a certain server?

Do we need to include this information in our email headers? Is it not enough
to include the IP address of the mail server? Perhaps there is a need to do
this?

I was just listening to Douglas Crockford[0] in a podcast where he talks about
CR/LF and how we can't decide on whether A is correct or B is correct so we do
both A and B which fits neither A's position or B's position so we pick
something so neither side feels like they lost. The argument is that this
middle-ground is worse than either side of the proposition.

Perhaps I am wrong. However, it is still good to know why we include this
information in our emails. Is it simply a case of "we have this information,
why not just include it?" or is it something to check against transaction
logs? Perhaps a "distributed" way to add audit records of who logged on to the
mail server? There had to be some reason why they included it, right?

[0] [http://hanselminutes.com/396/bugs-considered-harmful-with-
do...](http://hanselminutes.com/396/bugs-considered-harmful-with-douglas-
crockford)

------
jlgaddis
After the Snowden leaks, I moved all of my e-mail to a server I own. I use
authenticated SMTP with mutt and Thunderbird on my laptops and also
occasionally run mutt on the server itself.

The following Postfix configuration addresses this for me:

    
    
        $ grep header_checks /etc/postfix/main.cf
        header_checks = pcre:/etc/postfix/db/header_checks.pcre
    
        $ cat /etc/postfix/db/header_checks.pcre
        /^Received: .*\(Authenticated sender:.*/                         IGNORE
        /^Received: by my\.mailserver\.net .*from userid [0-9]+\)/       IGNORE

------
ihenriksen
Office 365 sends your IP-address by default in the X-Originating-IP e-mail
header. See here how to remove the IP from you e-mail header
[http://community.office365.com/en-
us/forums/158/t/20470.aspx](http://community.office365.com/en-
us/forums/158/t/20470.aspx)

------
rasengan
If you are worried about your e-mail, simply create a secondary/throw away
e-mail with a similar setup to test.

------
pallandt
Warning: your email is possibly harvested for spam. I tested this yesterday
with a newish account and already received unwanted email.

------
mingabunga
Looks like a thing to scare you in to buying the VPN service from Private
Internet Access (PIA)

~~~
wrongc0ntinent
Also shows they know what they're doing :)

------
t0
Isn't your email more likely to stay out of spam if it shows your real IP?

~~~
meowface
I don't know, but it would be illogical if it did.

All SMTP headers can be spoofed with ease. Often a custom header like "X-Real-
IP" will be used to send along the client's true IP; a spammer wishing to
bypass filters could simply pass a phony X-Real-IP header with whatever they
want, so checking against this is futile.

------
aluhut
You should include a collection of solutions after a positive.

Or is this really only marketing?

