What do your e-mail headers give away about you?
We all already know about our IP address and what it can give away about us (I am assuming, perhaps incorrectly, that readers are privacy and security minded). I want to talk about other perhaps lesser known risks to your privacy and security that you’ll find in your e-mail headers. These range from giving away personal and local information to providing an attacker with the keys to your computer.
Lets start with personal information. Most of you probably use a mail service that hides your IP address, but does it hide/change your message ID? The message ID is generated by your mail client and may contain information about you, your general location, and/or your machine. For example, some versions of Microsoft Outlook encode your machine’s IP address into the message ID. We’ll look at a sample:
Message-ID: <000101c168cc$09359c50$0100a8c0@billsbarn>
You may notice that between the @ and the first $ (moving from right to left) we have c0a80001, that is hex: c0 = 192, a8 = 168, 00 = 0, and 01 = 1, or 192.168.0.1. Also notice it gives the machine name, billsbarn. Why give out any unnecessary information?
In the above example it is the IP address of the internal LAN, which gives away information on it’s own, but it could be an externally accessible IP in some situations. Outlook isn’t alone in this, other clients do it too, be it in hex, octal, decimal, or other base. It’s not only encoded IP addresses we can find in message IDs, we can often find machine names, isp names, pop account names, and local dates and times, giving away your timezone (in some cases this may matter). These are often not even encoded.
Besides the message ID, mail clients have been known to stick all sorts of potentially personal information into the mail headers. The organization you belong to or company you work for, who originally forwarded the message you are quoting, and even your fax and or phone number. Mail clients are notorious for strewing personal and potentially damaging information throughout the mail headers.
Perhaps the stupidest idea I have ever seen from a security standpoint, most mail clients stamp into the mail headers the software you are using and it’s version number. And every one of them have all suffered serious vulnerabilities at one time or another. Vulnerabilities that allow an attacker to remotely execute code on your machine. Potentially giving him access to your computer and all the personal information about you it contains. The keys to the castle, game over.
As always, you should keep up on patches, but in the event a vulnerability which you are unaware of exists, you may very well be telling your attacker how to gain access to your machine just by sending him an e-mail, either directly, via a mail list, or in a web mailing list archive (ever search google for older vulnerable user agent strings? You find them all the time in current mai lists, for some of them all it would take to compromise the machine is to send the person a properly crafted e-mail).
Unfortunately your options are limited in correcting this as many clients simply do not give you the ability to change or remove these headers. If you are good with a hex editor you may be able to change or zero out these headers in some clients. Or you can research clients and what they place in headers and pick one that adds the least or that gives you the most control. Or you can subscribe to a mail service that gives you the ability to add, remove, or change your mail headers. Coincidentally, I happen to run one of those and if you are already a subscriber, you’re covered.
