>What do people today think of the SMTP RFC's current requirement that >mail programs and servers must not under any circumstances change or >delete Received: headers? Is exposing sender IP addresses to any >attacker who can view e-mail headers, for the purposes of preserving >trace information, really worth it when weighed against considerations >like security and privacy? The headers are useful for debugging, particularly for things like forwarding loops. Particularly on public webmail systems, it lets you see where spam is coming from, and offers the possibility of alerting the originating operator if you think they'll care. Gmail is notable in redacting this from some (not all) of their outgoing mail. What sorts of attacks do you think are enabled by allowing mail recipients to see the headers?