VFEmail.net

In the past, VFEmail placed your login name in plain text in the headers of every email you send like so:
Received: from unknown (HELO rick.local)
(admin@vfemail.net@69.11.239.67) by authorized.vfemail.net with
ESMTPA; 11 Aug 2008 15:56:43 -0000

Some see this as a potential security issue, and other see it as a complete non-issue. In the case of the service here, it's absolutely necessary to be able to know who sent a message so we can remove spammers and abusers.

I have received a total of 2 complaints about this, but the last one was a bit harsh. You might have thought the oppression of communist peoples was caused by this bit of public information.

In any case, I've revisited the issue, and with a fresh look was able to implement masking of your 'real address/login name' without any trouble.
Obviously the headers Return-Path, Delivered-To, To, From will not be affected by this change.

Note: This change does not make you invisible. You will not be able to 'hide' from VFEmail.net, the Government, or any law enforcement organization. In reality, it will only protect your 'true' email address from public lists where you may be using an alias, or your email address is obfuscated by that system.

Hopefully this change isn't a 'rant enabler'. :/

Rick

_________________
VFEmail.net Admin

Thanks Rick!

This is a change that a 'technodunce' like myself can appreciate. I use a forwarding service, so making my real address easy to see was not what Martha Stewart would call "a good thing"!

_________________
none

I am assuming that you may be referring to me? If my complaint to you was harsh, it was because of your initial flippant response to what I believe is a legitimate security and privacy concern. Only then did I become harsh. In any case, I never said that you did not need to know who sent a message and I understand and accept those reasons.


That's still the problem with you, right? You think that the login id is "public" information?? It is not, especially if one is using a forwarding email address. Again, I don't have a problem with you knowing who sent email through your SMTP server; I am a not a spammer or abuser of email.


Thanks for that. It does seem, though, that the final key is the same for all email messages sent. May I suggest that if you want to do the full measure, you use a randomized key for each user that you save in their database account and then create an SHA1 (better would be RIPEMD160! Even better would be SHA256; NOT MD5!) hash using that random ID with the message ID (which must be unique for all messages, according to the SMTP RFCs) and maybe the username to create a unique key value that you would be able to then decipher with very little effort if the need would arise. This way, you keep your ability to identify the user if you must, but the user keeps their privacy and all are happy.


That is all I was ever asking for.

Sorry - I don't intend to be flippant, I just state.

[/quote]

The need arises regularly, so if there were to be some uniqueness at some point, it definitely wouldn't be on free accounts.



It seems like quite a lot of effort with very little return - especially since the uniqueness would create a need to keep track of more data - assuming the key is just not multiple pieces of each message.

There is a point in security where the cost of protection exceeds the value of a possible breach.

_________________
VFEmail.net Admin