Gmail Hasn’t Fixed the Real Reply Problem

Garett Rogers of ZDNet points out that Gmail now allows you to have replies automatically be from the receiving address, if you have Gmail set up to send from different email accounts.

But Gmail hasn’t fixed a much more serious problem, in my opinion, one that I pointed out two months ago: your Gmail account appears in the “Sender” and “Return-Path” fields of your email header, even when sending as another account. The result defeats one purpose of using other addresses: keeping your Gmail account private while being able to conduct business with other accounts.

17 Comments

  1. I agree with you !

    Has anything been done yet to make Google fix this huge mistake ? (I mean, petitions or something like that)

  2. I don’t think that Google ever intended to completely mask the fact that the e-mail is coming from a Gmail account. If you want this functionality, try something like sneakemail.com (which is designed to keep your real e-mail address private) in concert with Gmail.

  3. I agree, people sho use this don’t want to have their gmail show up when they are sending official business emails.

  4. Still…I’m not so sure sending “official business emails” through a BETA webmail service is the best idea anyway…

  5. I agree entirely. Wrote up the same thing here. They need to solve this — it makes a mockery of supposedly using a custom address.

  6. Has my comment been removed ??

  7. Eskimo, do you mean this comment? I haven’t removed any comments.

  8. @filosofo: Oh, I’m sorry, I posted on the wrong blog note.

    If you want to sign the petition, it’s here :-) .

  9. This is expected behaviour.

    First: mail that originates from the gmail.com servers must have sender and returnpath as gmail.com domains, else it has a high chance of being considered spoofed email (because it is!). Blocking spoofed email (ie, mail that claims to be from one sender but is coming from a different domain) is a highly effective way of reducing spam – when your mail server is the first hop. Blocked messages = unhappy gmail users.

    Second: If someone manages to figure out the verification code generation algorithm, allowing the addition of addresses without validation, or manages to temporarily gain access to another users email address to receive the validation message, that identity is taken over completely – messages sent from the gmail account are indistinguishable from messages sent by the hijacked account, lending support to identity theft.

  10. bene,
    There are other ways to address your first point. For one, using Gmail with “spoofed” sender and return-path fields is not much different from my using an email client like Thunderbird to send email using, say, my ISP’s SMTP server, which is what I’d be doing anyway were I not using Gmail. In both cases someone would receive email from ilfilosofo.com that had originated on other servers (either Google’s or my ISP’s). So the risk of spam filters throwing a false positive should be about equal.

    Also, Google could get around the spam-filter risk by making the sender and return-path emails something like an MD5-encrypted combination of the Gmail account and the “spoofed” account. That way it would obscure the private email address while matching server and sending email. It would also allow easy filtering of spam should it be directed toward my Gmail account; for example, were I to start getting spam to (b05ba897e4e963074d85164c9beddb23@gmail.com) b05ba897e4e963074d85164c9beddb23 (located at) gmail (dot) com then I could easily filter it away. Spam to my real Gmail address–not so easy.

    Your second point could only be realized if someone has already compromised the other email account. At that point, the attacker could easily misuse the account independently of Gmail’s involvement.

  11. filosofo,
    bene’s point about gmail’s revealing gmail address in headers when sending as another account being expected behavior is important because any solution that does not reveal gmail as message originator would take control over email sent from some domain away from that domain’s owner.

    For instance, if I am employed by A Good Company, and duly receive an email account of (me@agoodcompany.com) me (located at) agoodcompany (dot) com, then should A Good Company dismiss me, the gmail functionality you desire would make it impossible for A Good Company to prevent me from continuing to send further email correspondence under its domain. (Moreover, since any email can have a reply-to header, I can count on getting some answers back, too.)

    If I recall correctly, in the earliest days of the send as functionality, gmail worked closer to the transparent way you want, and I can only surmise that one or more IT security people pointed out the problems this might create with, for example, disgruntled ex-employees. Recognizing the potential for google’s liability under some legal theory for damages that could result from gmail enabling such problematic communication is a small step, which leads me to believe gmail is probably not going to “fix” what you call the “real” reply problem.


  12. bene’s point about gmail’s revealing gmail address in headers when sending as another account being expected behavior is important because any solution that does not reveal gmail as message originator would take control over email sent from some domain away from that domain’s owner.

    Because I’m not a lawyer, I can’t really speak to Gmail’s potential legal liability, so you may be correct that that is explanation.

    However, I very much doubt it, because right now anybody using just about any email program, such as Thunderbird or Outlook, can pretend to send an email from any address in the manner you describe, and no one (that I know of) has suggested holding the makers of those programs legally liable.

    Besides, doing what Gmail does now does not make much of a difference in that regard. The sender and return-path information is hidden in most email programs, so that one has to view the email’s header in order to see the Gmail account. For most people who don’t check their email headers, disgruntled former employees will still be able to send emails from their old addresses with the same level of trickery. I’m pretty certain that anybody so un-Internet-savvy as to assume that all emails originate where they say they originate, will also not be savvy enough to check email headers for authenticity.

    In other words, if Gmail does this to prevent people from being fooled by disgruntled former employees (and the like), it will only work for those who are savvy enough not to be fooled in the first place.

    What disgruntled employees cannot do, assuming they haven’t hacked back into their old accounts, is receive email at their old addresses, so that should always be the test for an email’s authenticity.

  13. Hi -

    So, my problem with this is that I want to participate in mailing lists. But, inevitably, any email address you post from (or is in a header) eventually becomes inundated with spam.

    So usually you generate a temporary ID, and forward to some real account. But if your gmail account is in the header, you’re spam bait. This blocks of a significant chunk of my usage from being gmail.

    Putting gmail.com in the headers does not cause a problem, but putting my address does.

  14. Hi Tom,

    The trick described here might help deal with spam to your Gmail account.

  15. I have my corporate email being forwarded to gmail for blackberry use. My problem is that when someone replys to a message I have sent it goes to gmail address. I have my reply to in google settings set up to go to Corporate. My buddy has his account set up the same way and his reply to works…???

    Is this the problem you guys are talking about? Any ideas what is wrong with my settings?

  16. Hello everyone!

    Google is not wrong.
    Look here for a response why:

    Gmail Problems

    You only have to explicitly set the Reply-to address as well as the From address.

    Best Regards.

  17. Just set up my blackberry and guess what, I can define ANY (@company.com) from-address within my blackberry email account (@blackberry.com) and voila, there is absolutely no from or relay info of where the email actually came from (my blackberry).

    If Blackberry does it, why can’t google do it? Doesn’t seem to make sense to me…

Post a Comment

Your email is never shared. Required fields are marked *

*
*