Thunderbird bypassing the anonymity HELO/EHLO solution
Thunderbird bypassing the anonymity HELO/EHLO solution
Important privacy issue : especially for Mac users using TB and like to monitor their privacy a bit.
For years people are talking about the HELO/EHLO as a solution to make TB email messages more anonymous.
Unfortunately that solution can be easily bypassed. *
Case: When making their first account on a Mac, users will use in a lot of cases their own name. More specific their whole name. Service minded as Mac OS X is, it's using that name in several places as well as a lot of software program's. Not everybody takes notice of that while they should in case of privacy or security.
Now, this account name you create will also appear in your "Computer name" and in your "local network access name", like "JimNowhere's computer" and more important a local network address named like "JimNowhere.local" .
TB is sending this full "local network access name" address in the messages you send. So if it would be the case that you think you are using a more anonymous email account because it does not have any reference with your name in it, TB will bypass that by revealing your name in the message header. Not everybody will look at message headers but some people do and not only for good reasons.
As a solution to this people/users/TB developers came up with the solution to edit the HELO/EHLO (smtp name) rules and override the local network name by giving it another anonymous name yourself. No more TB mentioning the "local network access name".
Problem solved, many people happy...
..try this at home with your TB... If someone sends you a message and asks for a "return receipt", which is in many cases useful to respond, then TB will reveal your full local network name again (!) in the replied message header. Which means that if your local network name is actually your real name, TB is overriding in a negative way your privacy efforts by managing the HELO/EHLO preferences. "Return Receipt? Exit privacy again.
I think a lot of people do not know/realize this and I thought it would be nice to point at this unfortunate issue.
Now, what can you do about this as a privacy concerned Mac user using TB?
Never answering return receipts could be a solution. Among many other things, you can take a non TB measurement by changing your Mac's "local network access name" in something anonymous, or even give it a very generic name as much as possible (same thing about the HELO/EHLO smtp name). You can find this in your general Mac Preferences window, then choosing the "Sharing" option, where you can find and change both your "Computer name" and your "local network access name" in something more anonymous. It won't hurt you when you do. ;)
Among different external possible privacy options is considering to try the TB add-on TorBirdy Beta from the TorProject. This addon will not reveal your local network name. But when you already did configure your HELO/EHLO settings and changed different settings under TB's config editor, it could be the case that even with this addon TB will actually reveal your local network name! So, be sure to check this, be sure it is not the case when you start using this addon. Maybe it is a good idea to reset your TB to a standard config again first before installing and using this TorBirdy addon.
Again changing your computer and network name in something more anonymous and generic is a good, maybe the best general privacy approach anyway (as well as using an account on your computer that does not reveal your whole name).
Only good for privacy? 'Maybe' this is not even only important for your privacy but a relevant security issue as well. In my opinion you nowadays should better not give away information about your computer, programs or network if it's not important for the actual function of that program (like emailing) but can be used against you, like serving the right malware / hacking attacks etc, avoiding that is better for security reasons as well.
'Summary' - HELO/EHLO configuration defeated when answering a "Return Receipt" - Possible negative interference TB HELO/EHLO configuration on Torbirdy addon
So, at TB developers, if you know a solution to fix this return receipt issue or have a good TB about:config solution for this as well, I would be glad to know the answer.
Best regards,
e31e1f335dc4619af5626673a4ea9eaa3b7805128029675e20a912d33f3c13eb
- If I'm not mistaken, and I think I'm not, reason to post a message about it here.
Gewysig op
All Replies (9)
And what is the problem? Something about misconfigured copies of OSX.
You appear to think there is a Thunderbird issue. I think it might be with return receipts, but I am not sure.
Please a succinct summary of what information gets released and short steps to reproduce. please
Hi Matt,
Thank you for answering my question so far. I'll try to resume the Thunderbird problem again in another way and hopefully making the problem more clear.
The problem is that a given Thunderbird solution is not working fully which could give/lead to a false sense of privacy or security.
The solution given in "Replace IP address with name in headers" http://kb.mozillazine.org/Replace_IP_address_with_name_in_headers is not a guarantee (at all) for hiding your local network name (at least in Mac OS X), because when someone sends you a message and requests a "return receipt", Thunderbird will send your local network name in the 'read reply', despite the extra efforts you made with setting/modifying extra rules/strings in the "config editor" of Thunderbird.
In the header of the return receipt you will get and see a new rule created and given by Thunderbird (and not by the OS) that reveals your real local network name :
"Reporting-UA: jimnowhere.local; exactlythunderbirduseragent"
(This extra rule is not only reporting your useragentstring but also the local network name that you tried to hide when sending emails. "exactlythunderbirduseragent" is the thunderbird version you are using or the name you gave it in the useragent string of Thunderbird, because you did want to hide some of that standard given information in your messages as well; Thunderbird version, Operating System and version, or just even the name of your in real used emailing software).
So, yes, in a way you can say the given Mozillazine solution is working, when you are sending an email. But Not really actually. If someone happens to know your email address (because you did send an email first or you are on some spamming list) and want to know the local network name you did on purpose not reveal in the first place (with an extra created "mail.smtpserver.smtp*.hello_argument" string), the only thing that person has to do is sending you a message (back again) and ask you for a return receipt! Your Thunderbird will send the return receipt with the information you did try to hide in the first place ; your actual real local network name.
(real local network name =your account name =your full real personal name in a lot of 'user-cases' when using Mac OS X and a Mac OS X Thunderbird version with off course allowing replying on requested "Return receipts". I do not know if Windows or Linux versions of Thunderbird are creating this extra "Reporting-UA:" rule also and maybe are mentioning/giving the local network ip address).
This 'revealing local network name issue' is a Thunderbird action and not an action of the (Mac) OS (X). Also, this is not a new problem it's there in many(all?) Thunderbird versions way back in the past (tested it out of curiosity).
To put my question in another way : how can users get rid of the extra generated "Reporting-UA:" rule that is given in the sended return receipts by Thunderbird and protect their privacy for real in this Helo/Ehlo matter?
If the people of the Torbirdy project can strip these header information with their addon, one should think it would be possible to do it in the 'Config editor' of a standard Thunderbird as well.
Hopefully I could clear my Thunderbird privacy/security point more, and hopefully there is an answer to that in addition to the frequently discussed Thunderbird Helo/Ehlo privacy and security matter.
Best regards 'Jim'
Couldn't keep it short, sorry :-)
P.s.
The extra external suggestions I made as a solution to this Thunderbird problem, like giving some Mac Os X privacy configuration tips or the reference to an extra privacy addon like Torbirdy Beta, were just a little user service beside this standalone Thunderbird question and are in my opinion not of any influence nor forcing Thunderbird to act like this.
I did give this extra information because when you discover and post a problem, it is nice (as a reader/user) to have at least some alternate solutions while waiting for a possible answer/solution and therefore hopefully 'do not have to worry that much'. :-)
Gewysig op
Ok, given you obviously have considered the options, perhaps you should file a bug and see if we can find a developer to fix it once and for all.
Hi Matt,
Thanks for answering. I'm glad to hear that you recognise this as an 'issue'. But, mmm, another (mozilla) account (and public too) just to tell the same problem again? How many accounts does one have to have everywhere nowadays?
I did look a bit at the Bug_writing_guidelines, quite a 'study', maybe the desired style etcetera for a bug report is not really matching my style of describing. Not that I'm lazy, it's the supposed matching thing, maybe.
Do, you or any of your colleagues ever offer writing such a bugreport service, even using this post as a reference? I think the problem should be quite clear by now. At least you understood and thereby proven as such. :)
I'll be glad to know, if you 'guys' also could provide this bugreportservice. Otherwise I'll have to, .. well at least take some (more) time for this.
Thank you in advance for answering.
Best regards 'Jim'
Everyone here volunteers to answer questions not be a dictation service. That is how Mozilla set up their system. There is nothing we can do about it. We are Thunderbird users just like you except we volunteer our time to help others.
Hi Airmail,
Thank you for answering.
"not be a dictation service"
It was just an extra question to mozilla support whom I presumed to know the way they organised "their system" far more better than I do, I just came by (with a reason). Sometimes there is an intermediate problem-to-bug-translator active. Therefore a reason to ask this.
I'll 'study' on the Bug report routine and will ask my question / point at this hole in the advertised HELO/EHLO solution again. Hopefully that will lead to a final solution in this matter.
Best regards, 'Jim' (the new upcoming bugreporter ;)
Mozilla involvement consists of leaving their name on Thunderbird and providing the web site for this forum and bugzilla. Support is by people volunteering their time as are the programmers working on the fixes reported on bugzilla.
Dear Mozilla volunteer contributors,
Thanks for the answers and your time.
All the best 'Jim'
@Airmail.... just to extend this, Mozilla does contribute something we would have little or no hope of providing ourselves and that is a build and testing environment.
I have my share of downers on Mozilla, but their contribution to the build and testing runs into a very large sum of money.