Published on November 02, 2013
Today, someone pointed me at an article in Belgian newspaper De Standaard in which Karolien Grosemans, a Belgian MP of the New Flemish Alliance (N-VA), claimed the U.S. Army had read one of her emails. In this email she asked an expert for advice on a draft legislation on cyber attacks and security, hence the subject field of the email contained the words "cyberaanvallen" (cyber attacks) and "cyber security".
She said the expert showed her evidence that the email, addressed to the expert's Mail.com address, was routed through a U.S. military base in the southeast of Arizona, Fort Huachuca. This so-called "evidence", however, consists solely of a single email header line, as depicted below. According to the expert this header shows the route the message has traveled.
"message opened by mailclient 188.8.131.52 (184.108.40.206)"
When I read this line I didn't immediately think of the two four-part numbers as IP addresses. The expert, however, believes either of the numbers is the IP address of the client that opened the email. He's right that both IP addresses are owned by the U.S. Army, but that's no coincidence as the 220.127.116.11/8 netblock (18.104.22.168 to 22.214.171.124) is allocated to the U.S. Army Information Systems Command (USAISC).
This expert may want to take off his tinfoil hat, because both numbers are, in fact, version numbers of software that runs on the servers of GMX Mail, the company that operates Mail.com. This header is added to every single email that drops into a Mail.com inbox.
It may surprise Ms. Grosemans and her expert, but if the U.S. Army (or one of the three-letter agencies, for that matter) did read your email it's not very likely you would find a note saying they did so. And before (falsely) accusing an organization of breaking into your inbox and reading your emails, you may want to consult a true expert.