OpenFest 2006 - Share the Freedom

January 29, 2004

Another argument for Message-Id

I missed a very important argument in my Outlook 2003 and Message-Id rant the other day; it was on my mind when I started writing the rant, but then it must have slipped through the cracks...

The fact that the usual way to form the Message-Id header discloses the sending machine's hostname is made almost irrelevant by the fact that there are very, very few SMTP servers which do not add a "Received" header containing the client's perceived IP address, the client's perceived DNS hostname, and the contents of the client's HELO command - which, with most SMTP clients, actually contains the client's hostname.

Here's an example:

Received: from actual-hostname-deleted (HELO (actual-IP-address-deleted)
by with SMTP; 28 Jan 2004 08:09:30 -0000

This was the first (technically, the last, since the SMTP servers further on in the chain had added theirs to the beginning of the message) "Received" header on a message that I recently sent to a public list. As you can see, my mail client (not Outlook 2003, but see below) honored the SMTP protocol by issuing a HELO command with the local machine's hostname - and it is plainly visible in the message headers.

A coworker fired off a quick test message using Outlook 2003 and, lo and behold, the SMTP server logged a Received header with the coworker's machine's name in it! So much for privacy, I guess :P

Note: please do not take this as a request for Microsoft to stop providing the machine's hostname in the HELO command, too! :)

Posted by roam at January 29, 2004 02:06 PM