Gmail Anonymity Issue

The webmail service provided by Google, Inc, named “GMail” or “Google Mail” is a fully-anonymous mail exchange system when it talks to other gmail-based domains.

UPDATE (after 1 day): Hey, I’ve received one comment saying that I should see this as an improvement on Privacy. Yes, of course! But I strongly believe in OPTIONS. This should be configurable, at least. Additionally, when you use webmail, the client is the web-browser, not the remote webmail software. It’s YOU from YOUR internet connection using the remote service. It’s not crazy to think your IP should be added to the headers 😉

In any case, has anyone bothered to read my last comment?: “We’ve been looking for fully anonymizing SMTP servers for decades, and now we discover any mail user is vulnerable.” This is like saying “Hey, I like this, but it can also be used by attackers to shield themselves when scamming people” (hence, “any mail user is vulnerable”). I love privacy, don’t get me wrong! I wouldn’t be talking about if I didn’t.

Google has been notified of this issue, but the response was “Sorry, but we do not understand your issue”. More information was provided, but the same response was received.

I do not consider this a High Risk issue.


Most webmail services provide means to obtain full-headers of any eMail message stored in the user’s folders. Inside those headers we can usually find at least one public IP addresses, that relates some way or another to the mail’s sender.

This is not the case with any gmail-to-gmail eMail message.

In the case of Gmail, full headers can be seen from the “Show Original” action link provided in the “More Options” menu of an already-opened eMail message.

For example, if I send an email from buanzo AT to buanzo AT, I get something like this:

X-Gmail-Received: 9c6f2229aa1a91477bada005cd389e212c2f7454
Received: by with HTTP; Wed, 26 Jul 2006 11:46:08 -0700 (PDT)
Message-ID: <6f7daea60607261146y43fd4[email protected]>
Date: Wed, 26 Jul 2006 15:46:08 -0300
From: “Arturo Busleiman”
To: [email protected]
Subject: test
MIME-Version: 1.0
Content-Type: multipart/alternative;
Delivered-To: [email protected]

Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


Arturo ‘Buanzo’ Busleiman /

Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


Arturo ‘Buanzo’ Busleiman /


As you can see, no public IP address appear. Only private, 10/8 IP addresses.

Of course, email sent from a different account to myself doesn’t show any public address.

Additionally, I host’s email using the Gmail for your Domain beta-service. Sending eMail from the web interface of (Gmail-based) to and vice-versa shows the same vulnerability.

We’ve been looking for fully anonymizing SMTP servers for decades, and now we discover any mail user is vulnerable.

The vulnerability disappears if sending eMail through a MUA like Mozilla Tunderbird or any other SMTP client.

Transcript of my communication with Google regarding this issue. I replied to this eMail, too, two days ago, and received the same reply. I replied to that and asked what they didn’t specifically understand.

Date: Wed, 19 Jul 2006 13:41:00 -0700
From: “The Google Team”
To: “Arturo ‘Buanzo’ Busleiman”
Cc: [email protected], [email protected]
Subject: Re: [#66078110] Anonymity Issue with GMAIL
Message-ID: <#[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=”iso-8859-1″
In-Reply-To: <[email protected]>
User-Agent: Neotonic Trakken/frontend-2.35.6

Thank you for your message.

We’re happy to answer any questions you may have about Gmail, or your
Gmail account. However, we need further clarification from you before we
can help. Please reply to this message and include any additional
information that you think might help us address your specific concerns.


The Google Team

Original Message Follows:
From: “Arturo ‘Buanzo’ Busleiman”
Subject: Anonymity Issue with GMAIL
Date: Tue, 18 Jul 2006 13:07:48 -0300

Hash: SHA1

Dear people at Google/Gmail,

I’ve been a long time user of your services (google, gmail, gmail for
your domain, orkut, adsense,
blogspot). I’m user “[email protected]” or “buanzo” on your services.

Yesterday I was helping out on a security issue with a friend. I needed
to analyze IP addresses of
certain emails my friend received, and test against an identity theft.

The sender and receiver (the “attacker” and my “friend”) are both

So, when I opened up one of those eMails using the Gmail web interface,
then I clicked on “more
options” for that sender, then “Show original”, I noticed NO public IP
address at all. Only private network addresses (internal gmail/google network).

In any case, it seemed that this behaviour ONLY happened when email from
[email protected] via
web-interface to [email protected] was sent.

So, for testing, and before sending this advisory to you, I sent an email
using the web interface
for gmail account [email protected] to my wife, [email protected]

Then I oppened [email protected]’s account on my 2nd computer, and this
is the message source as
provided by “Show Original” button.

As you can see below, the 3rd Received line is the last one, and is “by with HTTP”. WITH
HTTP -> that is me using [email protected]’s web interface. See below for
more details.

X-Gmail-Received: 95f51f3b274bfdc2c834d221f18347acf46e081d
Delivered-To: [email protected]
Received: by with SMTP id m10cs137572wxm;
Tue, 18 Jul 2006 08:58:49 -0700 (PDT)
Received: by with SMTP id i2mr1631532hue;
Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Received: by with HTTP; Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Message-ID: <[email protected]>
Date: Tue, 18 Jul 2006 12:58:46 -0300
From: “Arturo Busleiman”
To: “Amor de mi Vida”
Subject: te amo
MIME-Version: 1.0
Content-Type: multipart/alternative;

– ——=_Part_45900_33494322.1153238326171
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

te amo

– —
Arturo ‘Buanzo’ Busleiman /

– ——=_Part_45900_33494322.1153238326171
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

te amo

Arturo ‘Buanzo’ Busleiman /

– ——=_Part_45900_33494322.1153238326171–

I believe this is a serious issue that turns any user into a
victim of lots of different
email-based attacks that one can’t analyze because of the “anonynimity” of
the attacker’s public,
internet IP.

Please return to me with comments on this issue.

Thank you very much for your attention.


– —
Arturo “Buanzo” Busleiman – VPN Mail Project –
Consultor en Seguridad Informatica –
Genetic – A multiplatform Gentoo Portage Frontend –
for f in www blog linux-consulting vpnmail; do firefox
http://$ ; done
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla –


Artículos relacionados:

Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?


me parece que no te entienden porque los yankies son mas “concretos” de ir al grano, vos vas con ejemplos y explicaciones. No es un problema idiomatico, sino cultural.
(Sin descartar mas vale que sea que lo haya leido un indio/chino/latino barato que no entienda nada)

Me olvidaba, tendrias que reformatear tu mensaje asi:

Descripcion del problema en uno o 2 reglones y luego pone todo el resto como “info complementaria”.

De esa manera se entiende que pasa y en base a eso mandan el pedido a quien entiende realmente (pensa que la primera linea de soporte deben ser de semi-robots que apenas reconocen lo que escribis para ver a quien le forwardean o que respuesta enlatada mandan). Si esas pesonas le queres hacer que deduzca todo tu razonamiento, vas mal. Porque si bien tu razonamiento es correcto, no es para cualquiera.

hi, i still don’t know how i’ve got into your blog, but…
I seems you have a huge problem with network theory, the ip that is registered in the e-mails it the client one, in this case the ‘client’ is you gmail server (and NOT you), and the receiver is the next gmail server in the mta load balancing system of gmail. So issue is NO issue. Is just your mistake.
On the otherhand if you claim to be a security people (as many other cheap security guys out there) you should start setting your mind into Security/Privacy and anything that would protect the privacy is an improvement instead a fault. (know I’m wondering why you fill your mouth talking about ‘tor’ anonymizing system. (which actually can be defeated.
I don’t wanna be rude, but you should seriously think *before* writting.
my 5 cents.

To TKC.. you are WRONG…

Users don’t use MTAs directly.

Before you can talk to a MTA, you MUST use a MUA (Mail User Agent). In this case, the AJAX gMail aplication acts as a MUA. At least we expect a “custom header” like Hotmail does.

Please read carefuly RFC2821 then we can talk about “network theory” and “security”.

You can begin reading this:


Sorry, the comment form is closed at this time.