View Issue Details

IDProjectCategoryView StatusLast Update
0017377phpList 3 applicationMessage Send Processpublic03-08-18 12:44
ReporterElementGreen 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
PlatformIntel Xeon CPU E5-2680 VPS HostOSUbuntu LinuxOS Version14.04
Product Version3.0.7 
Target Version3.4.0Fixed in Version 
Summary0017377: Adding Received: header with HTTP web browser IP address is a privacy issue
DescriptionI was surprised to find my personal home broadband IP address embedded in the Received: headers of campaign emails. This seems like a pretty severe privacy issue, which users of phplist should at least know about.

Attached is a patch which adds a configuration option called ENABLE_HTTP_CLIENT_STAMP which enables this functionality (if someone wants it), but it should be disabled by default in my opinion. I can see how this type of thing makes sense for anonymous forms which send emails (what the link to the Spamcop page talks about) or for situations where the admins of the phplist can't be trusted entirely, but this is a system that is secured via a login so that is usually not the case. I don't wish to broadcast to the world my physical location, or at least would like to know that that is what is occurring, prior to doing so.
Steps To ReproduceSend a campaign email (with immediate mode)
Look at the headers and note the Received: header for the IP address of the HTTP client which sent the campaign
TagsConfiguration and sending

Activities

ElementGreen

09-09-14 19:41

reporter  

phplist-disable_http_client_stamp.patch (1,335 bytes)
diff -ru phplist.orig/admin/class.phplistmailer.php phplist/admin/class.phplistmailer.php
--- phplist.orig/admin/class.phplistmailer.php	2014-09-09 12:11:39.000000000 -0700
+++ phplist/admin/class.phplistmailer.php	2014-09-09 10:20:18.000000000 -0700
@@ -142,7 +142,8 @@
 #        $this->addCustomHeader("Return-Receipt-To: ".$GLOBALS["message_envelope"]);
       }
       ## when the email is generated from a webpage (quite possible :-) add a "received line" to identify the origin
-      if (!empty($_SERVER['REMOTE_ADDR'])) {
+      if (defined('ENABLE_HTTP_CLIENT_STAMP') && ENABLE_HTTP_CLIENT_STAMP
+          && !empty($_SERVER['REMOTE_ADDR'])) {
         $this->add_timestamp();
       }
       $this->messageid = $messageid;
diff -ru phplist.orig/config/config.php phplist/config/config.php
--- phplist.orig/config/config.php	2014-09-09 12:12:27.000000000 -0700
+++ phplist/config/config.php	2014-09-09 12:11:15.000000000 -0700
@@ -34,6 +34,9 @@
 
 define("PHPMAILERHOST",'');
 
+# Enable adding a Received: header for HTTP client IP address in campaign emails
+# define("ENABLE_HTTP_CLIENT_STAMP",1);
+
 # if test is true (not 0) it will not actually send ANY messages, but display what it would have sent
 # this is here, to make sure you edited the config file and mails are not sent "accidentally"
 # on unmanaged systems

michiel

09-09-14 19:59

manager   ~0054955

yes, interesting isn't it. We'd want this option when phpList is used for incorrect things, like spam, but not when we can be trusted and are sending correctly.

Tricky these kinds of things. I can totally understand not wanting to give out your home IP address to your entire subscriber base. In a way, you may not even mind your subscribers to see it, but you definitely don't want anyone else who can read the mails (which is more than you can imagine).

Obviously you figured out how to stop it. I'd be interested to raise this discussion in a wider audience to see if we want to make it a feature. I'd still opt to keep it ON by default.

Zbyszek

02-11-15 18:06

reporter   ~0057126

Especially interesting when one has dynamic rDNS at home.

Can make Spam Assassin a little bit angry at RDNS_DYNAMIC and DYN_RDNS_AND_INLINE_IMAGE.