Re: Transparent hijacking of SMTP submission...
There’s a big difference between illegal and civil liability for breech of contract. If I am paying someone for access to the internet, then I expect them not to modify, alter, rewrite, or otherwise interfere with my packets. If they do so, they may not have violated 47 USC 230, but they have certainly failed to provide the service that I am paying for. Owen On Nov 29, 2014, at 12:17 PM, John Levine jo...@iecc.com wrote: i think of it as an intentional traffic hijack. i would be talking to a lawyer. If the lawyer says anything other than that 47 USC 230(c)(2)(A) provides broad immunity for ISP content filtering, even if the filters sometimes screw up, you need a new lawyer. Filtering STARTTLS on port 587 is pretty stupid, but not everything that's stupid is illegal. R's, John PS: I know enough technical people at Comcast that I would be extremely surprised if it were Comcast doing this. There's plenty not to like about the corporation, but the technical staff are quite competent.
Re: Transparent hijacking of SMTP submission...
I suspect it isn’t comcast at all. I suspect it is the wifi operator and they happen to use comcast as an upstream. The RDNS points to the public address in front of the wifi. The proxy doing the rewriting is likely behind that. Owen On Nov 29, 2014, at 10:46 AM, Christopher Morrow morrowc.li...@gmail.com wrote: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... $ openssl s_client -starttls smtp -connect my-mailserver.net:587 CONNECTED(0003) depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddrss.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailsever.net, emailAddress = my-emailaddress.com verify error:num=27:certificate not trusted verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddress.com verify error:num=21:unable to verify the first certificate verify return:1 ... Certificate chain 0 s:/description=kVjtrCL8rUdvd00q/C=US/CN=my-mailserver.net/emailAddress=y-emailaddress.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA ... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA Session-ID-ctx: Master-Key: BE7FB76EF5C0A9BA507B175026F73E67080D6442201FDF28F536FA38197A9B1353D644EEAF8D0D264328F94B2EF5742C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1417286582 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN ehlo me 250-my-mailserver.net 250-PIPELINING On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: On 14-11-29 11:07, Sander Steffann wrote: I am so glad that our Dutch net neutrality laws state that providers of Internet access services may not hinder or delay any services or applications on the Internet (unless [...], but those exceptions make sense) However, in the case of SMTP, due to the amount of spam, most ISPs break network neutrality by blocking outbound port 25 for instance, and their SMTP servers will block much incoming emails (spam). However, SMTP is a layer or two above the network. But blocking port 25 is at the network level. I have seen wi-fi systems where you ask to connect to 20.21.22.23 port 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP server). I would rather they just block it than redirect you without warning to an SMTP server of their own where they can look and your outbound email, pretend to acccept it, and never deliver it.
Re: Transparent hijacking of SMTP submission...
There’s a big difference between illegal and civil liability for breech of contract. If I am paying someone for access to the internet, then I expect them not to modify, alter, rewrite, or otherwise interfere with my packets. If they do so, they may not have violated 47 USC 230, but they have certainly failed to provide the service that I am paying for. Uh huh. Please let us know the case number when you sue, so we can find out howthat pans out. By the way, I see you're a customer of Black Lotus. You might want to review sections 7 and 10 of the terms of service to which you've agreed: https://www.blacklotus.net/terms-of-service/ Your v6 traffic appears to arrive via a tunnel at HE. See sections 9 and 10 here, which you've also agreed to: http://www.he.net/tos.html R's, John
Re: Transparent hijacking of SMTP submission...
On 11/29/14, 12:26 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: However, in the case of SMTP, due to the amount of spam, most ISPs break network neutrality by blocking outbound port 25 for instance Whatever Net Neutrality may mean this week, it is usually intended to allow for reasonable network management practices, including preventing network abuse. In the case of port blocking, it is permissible provided it is disclosed transparently. - Jason
Re: Transparent hijacking of SMTP submission...
On 11/29/14, 3:17 PM, John Levine jo...@iecc.com wrote: PS: I know enough technical people at Comcast that I would be extremely surprised if it were Comcast doing this. There's plenty not to like about the corporation, but the technical staff are quite competent. Thanks, John! I can tell folks here unequivocally that (1) the recent press article on STARTTLS re-writing did *not* involve Comcast and (2) Comcast does not engage in the claimed practice. In fact, we¹re supporters and early deployers of STARTTLS on our own mail service. I do not know how to explain the issue reported on this list. Absent a packet capture it is impossible for me to analyze this further. If anything, I could only imagine it was a misconfiguration someplace, but I have no idea where or in what network element that¹d even be possible. I¹m happy to work with anyone that has more info to try to troubleshoot this. - Jason Livingood Comcast
Re: Transparent hijacking of SMTP submission...
n Sat, Nov 29, 2014 at 10:27 PM, joel jaeggli joe...@bogus.com wrote: The phenomena I reported was observed on a consumer cable service (not my own). it is now no-longer in evidence with that same source ip. In answer an intermediate observation, the cpe and the devices on it are sufficiently well understood now to rule them out. Hope it's not law enforcement tapping your line. They'd be damn fools to make themselves so easily detectable. -Bill -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. i think of it as an intentional traffic hijack. i would be talking to a lawyer. randy, who plans to test next time he is behind comcast
Re: Transparent hijacking of SMTP submission...
On Thu, Nov 27, 2014 at 9:51 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: William Herrin b...@herrin.us I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Yup; that's what he's saying. This was in the technical press earlier this week -- or the end of last. Hi Jay, Seems to me that if an ISP is altering the contents of its users' packets (not just blocking them, altering them) then that ISP should be named and shamed, if not worse. Unless the customer contracted for special account type where that was a desired and intended feature, such behavior is inexcusable. If it's a customer of that ISP, on the other hand, then it's just the normal idiocy and paranoia, no different than the retarded behavior by amateur sysadmins that block all ICMP because they don't want to be pinged (see PMTUD and its effects on TCP). Anyway, I was curious which accusation was being leveled. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
Op 29 nov. 2014, om 19:37 heeft Randy Bush ra...@psg.com het volgende geschreven: i think of it as an intentional traffic hijack. i would be talking to a lawyer. randy, who plans to test next time he is behind comcast I am so glad that our Dutch net neutrality laws state that providers of Internet access services may not hinder or delay any services or applications on the Internet (unless [...], but those exceptions make sense) Cheers, Sander
Re: Transparent hijacking of SMTP submission...
On 14-11-29 11:07, Sander Steffann wrote: I am so glad that our Dutch net neutrality laws state that providers of Internet access services may not hinder or delay any services or applications on the Internet (unless [...], but those exceptions make sense) However, in the case of SMTP, due to the amount of spam, most ISPs break network neutrality by blocking outbound port 25 for instance, and their SMTP servers will block much incoming emails (spam). However, SMTP is a layer or two above the network. But blocking port 25 is at the network level. I have seen wi-fi systems where you ask to connect to 20.21.22.23 port 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP server). I would rather they just block it than redirect you without warning to an SMTP server of their own where they can look and your outbound email, pretend to acccept it, and never deliver it.
Re: Transparent hijacking of SMTP submission...
backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... $ openssl s_client -starttls smtp -connect my-mailserver.net:587 CONNECTED(0003) depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddrss.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailsever.net, emailAddress = my-emailaddress.com verify error:num=27:certificate not trusted verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddress.com verify error:num=21:unable to verify the first certificate verify return:1 ... Certificate chain 0 s:/description=kVjtrCL8rUdvd00q/C=US/CN=my-mailserver.net/emailAddress=y-emailaddress.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA ... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA Session-ID-ctx: Master-Key: BE7FB76EF5C0A9BA507B175026F73E67080D6442201FDF28F536FA38197A9B1353D644EEAF8D0D264328F94B2EF5742C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1417286582 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN ehlo me 250-my-mailserver.net 250-PIPELINING On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: On 14-11-29 11:07, Sander Steffann wrote: I am so glad that our Dutch net neutrality laws state that providers of Internet access services may not hinder or delay any services or applications on the Internet (unless [...], but those exceptions make sense) However, in the case of SMTP, due to the amount of spam, most ISPs break network neutrality by blocking outbound port 25 for instance, and their SMTP servers will block much incoming emails (spam). However, SMTP is a layer or two above the network. But blocking port 25 is at the network level. I have seen wi-fi systems where you ask to connect to 20.21.22.23 port 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP server). I would rather they just block it than redirect you without warning to an SMTP server of their own where they can look and your outbound email, pretend to acccept it, and never deliver it.
Re: Transparent hijacking of SMTP submission...
In article cal9jlay1q_rbkyb6kczkzuifr5b1r3kuvz8wivwr0rjj_oa...@mail.gmail.com you write: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... I don't see it in New Jersey, either. Is this a direct connection, or a coffee shop sharing a cable connection or something like that?
Re: Transparent hijacking of SMTP submission...
i think of it as an intentional traffic hijack. i would be talking to a lawyer. If the lawyer says anything other than that 47 USC 230(c)(2)(A) provides broad immunity for ISP content filtering, even if the filters sometimes screw up, you need a new lawyer. Filtering STARTTLS on port 587 is pretty stupid, but not everything that's stupid is illegal. R's, John PS: I know enough technical people at Comcast that I would be extremely surprised if it were Comcast doing this. There's plenty not to like about the corporation, but the technical staff are quite competent.
Re: Transparent hijacking of SMTP submission...
On 11/29/2014 14:09, John Levine wrote: In article cal9jlay1q_rbkyb6kczkzuifr5b1r3kuvz8wivwr0rjj_oa...@mail.gmail.com you write: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... I don't see it in New Jersey, either. Is this a direct connection, or a coffee shop sharing a cable connection or something like that? I am a little confused but have note yet had time and interest at the same time to back through the thread I thought when it started that the complaint was somebody using a public wiffy had been victimized by something I read about recently (and thought it was here that I had red it) where somebody sets up a fraudulent server on the wiffy that advertises a false-flag email server that strips out the security stuff and then sends the traffic to an accomplice-site that eventually gets the stripped traffic to its original destination. -- The unique Characteristics of System Administrators: The fact that they are infallible; and, The fact that they learn from their mistakes. Quis custodiet ipsos custodes
Re: Transparent hijacking of SMTP submission...
The STARTTLS filter was merely a tool used to divert and tap the traffic. It is the latter which is over the line. randy, on a teensy non-computer On Nov 29, 2014, at 15:17, John Levine jo...@iecc.com wrote: i think of it as an intentional traffic hijack. i would be talking to a lawyer. If the lawyer says anything other than that 47 USC 230(c)(2)(A) provides broad immunity for ISP content filtering, even if the filters sometimes screw up, you need a new lawyer. Filtering STARTTLS on port 587 is pretty stupid, but not everything that's stupid is illegal. R's, John PS: I know enough technical people at Comcast that I would be extremely surprised if it were Comcast doing this. There's plenty not to like about the corporation, but the technical staff are quite competent.
Re: Transparent hijacking of SMTP submission...
On Thu, 27 Nov 2014, joel jaeggli wrote: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES Seen some anti-virus software (on Windows) doing this. You might not be running Windows though. Some home router with some security improvement ? //Marcin
Re: Transparent hijacking of SMTP submission...
On Sat, Nov 29, 2014 at 3:09 PM, John Levine jo...@iecc.com wrote: In article cal9jlay1q_rbkyb6kczkzuifr5b1r3kuvz8wivwr0rjj_oa...@mail.gmail.com you write: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... I don't see it in New Jersey, either. Is this a direct connection, or a coffee shop sharing a cable connection or something like that? my test was a home consumer cable link, not business grade and not shared (more than cable is).
Re: Transparent hijacking of SMTP submission...
On 11/29/14 6:32 PM, Christopher Morrow wrote: On Sat, Nov 29, 2014 at 3:09 PM, John Levine jo...@iecc.com wrote: In article cal9jlay1q_rbkyb6kczkzuifr5b1r3kuvz8wivwr0rjj_oa...@mail.gmail.com you write: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... I don't see it in New Jersey, either. Is this a direct connection, or a coffee shop sharing a cable connection or something like that? my test was a home consumer cable link, not business grade and not shared (more than cable is). The phenomena I reported was observed on a consumer cable service (not my own). it is now no-longer in evidence with that same source ip. In answer an intermediate observation, the cpe and the devices on it are sufficiently well understood now to rule them out. from the mail servers vantage point... Nov 27 x nagasaki sm-mta[5698]: NOQUEUE: tcpwrappers ((reverse).wa.comcast.net, (ip) ) rejection given that the client gives up because it can't startssl and therefore won't attempt to auth. whereas a successful attempt with the same source ip is: Nov 26 x nagasaki sm-mta[397]: STARTTLS=server, relay=c-(reverse).wa.comcast.net [(ip)], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128 signature.asc Description: OpenPGP digital signature
Re: Transparent hijacking of SMTP submission...
On Sat, Nov 29, 2014 at 10:27 PM, joel jaeggli joe...@bogus.com wrote: On 11/29/14 6:32 PM, Christopher Morrow wrote: On Sat, Nov 29, 2014 at 3:09 PM, John Levine jo...@iecc.com wrote: In article cal9jlay1q_rbkyb6kczkzuifr5b1r3kuvz8wivwr0rjj_oa...@mail.gmail.com you write: backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia... I don't see it in New Jersey, either. Is this a direct connection, or a coffee shop sharing a cable connection or something like that? my test was a home consumer cable link, not business grade and not shared (more than cable is). The phenomena I reported was observed on a consumer cable service (not my own). it is now no-longer in evidence with that same source ip. In answer an intermediate observation, the cpe and the devices on it are sufficiently well understood now to rule them out. ah, phew. from the mail servers vantage point... Nov 27 x nagasaki sm-mta[5698]: NOQUEUE: tcpwrappers ((reverse).wa.comcast.net, (ip) ) rejection super odd, and telling. given that the client gives up because it can't startssl and therefore won't attempt to auth. whereas a successful attempt with the same source ip is: Nov 26 x nagasaki sm-mta[397]: STARTTLS=server, relay=c-(reverse).wa.comcast.net [(ip)], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128 perhaps comcast (technician) was trying to do the 'right thing' here and mistook 'but someone is operating a mailserver that the trust' vs 'spammer' from the situation with TLS being 'a good thing' and 'please do not subvert my tls, yo!' glad to see this returned to expected flows.
Re: Transparent hijacking of SMTP submission...
Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Transparent hijacking of SMTP submission...
Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Transparent hijacking of SMTP submission...
In message CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe=2qlcvb29i07oax-...@mail.gmail.com , Suresh Ramasubramanian writes: Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. Why would it black hole the address rather than the block the compromised credentials? The whole point of submission is to authenticate the submitter and to be able to trace spam back to the submitter and deal with the issue at that level of granuality. Blocking at that level also stop the credentials being used from anywhere. scalpel vs chainsaw. Just because you provide free email doesn't give you the right to not do the service properly. You encouraged people to use your service. You should resource it to deal with the resulting load and that includes dealing with spam and scans being sent with stolen credentials. As a free email provider you have the plain text. Mark There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org --bcaec517c6c01f783d0508e015a5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable p dir=3DltrYes. Till that hotspots IP space gets blackholed by a major = freemail because of all the nigerians and hijacked devices emitting bot tra= ffic through stolen auth credentials. /p p dir=3DltrThere#39;s other ways to stop this but they take actual har= d work and rather more gear than a rusted up old asa you pull out of your c= loset as like as not. br /p div class=3Dgmail_quoteOn Nov 28, 2014 2:10 AM, quot;Mark Andrewsquot= ; lt;a href=3Dmailto:ma...@isc.org;ma...@isc.org/agt; wrote:br type= =3Dattributionblockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1exbr Which is why your MTA should always be setup to require the use ofbr STARTTLS.=C2=A0 Additionally the CERT presented should also match thebr name of the server.br br There is absolutely no reason for a ISP / hotspot to inspectbr submission traffic.=C2=A0 The quot;stopping spamquot; argument doesn#39;= t wash withbr submission.br br Markbr br In message lt;a href=3Dmailto:54778167.7080...@bogus.com;54778167.70808= 0...@bogus.com/agt;, joel jaeggli writes:br gt;br gt; I don#39;t see this in my home market, but I do see it in someone els= e#39;s...br gt; I kind of expect this for port 25 but...br gt;br gt; J@mb-aye:~$telnet 147.28.0.81 587br gt; Trying 147.28.0.81...br gt; Connected to a href=3Dhttp://nagasaki.bogus.com; target=3D_blankn= agasaki.bogus.com/a.br gt; Escape character is #39;^]#39;.br gt; 220 a href=3Dhttp://nagasaki.bogus.com; target=3D_blanknagasaki.b= ogus.com/a ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014br gt; 19:17:44 GMTbr gt; ehlo a href=3Dhttp://bogus.com; target=3D_blankbogus.com/abr gt; a href=3Dhttp://250-nagasaki.bogus.com; target=3D_blank250-nagasa= ki.bogus.com/a Hello a href=3Dhttp://XXX.wa.comcast.net; ta= rget=3D_blankXXX.wa.comcast.net/abr gt; [XXX.XXX.XXX.XXX], pleased to meet youbr gt; 250 ENHANCEDSTATUSCODESbr gt;br gt; J@mb-aye:~$telnet 2001:418:1::81 587br gt; Trying
Re: Transparent hijacking of SMTP submission...
On Thu, Nov 27, 2014 at 2:54 PM, joel jaeggli joe...@bogus.com wrote: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. Hi Joel, I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Thanks, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
No. He is a comcast customer. And some third party wifi access point blocked his smtp submission over TLS by setting up an asa device to inspect 587 as well. On Nov 28, 2014 6:16 AM, William Herrin b...@herrin.us wrote: On Thu, Nov 27, 2014 at 2:54 PM, joel jaeggli joe...@bogus.com wrote: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. Hi Joel, I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Thanks, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Transparent hijacking of SMTP submission...
Oh it depends on the numbers. Just how many legitimate smtp submission attempts do you get from say an access point at Joes diner in nowhere, OH? Versus just how many password cracking and malware relay attempts across how many of your users, from an unpatched xp box the guy is using for a billing app? At the scale of the problem a provider with any kind of userbase faces, you need a chainsaw, not a scalpel, given that you're out to cut a tree rather than perform plastic surgery. On Nov 28, 2014 6:08 AM, Mark Andrews ma...@isc.org wrote: In message CAArzuouvhnHo7BbAWUwiR3=m0x2O6Qe= 2qlcvb29i07oax-...@mail.gmail.com , Suresh Ramasubramanian writes: Yes. Till that hotspots IP space gets blackholed by a major freemail because of all the nigerians and hijacked devices emitting bot traffic through stolen auth credentials. Why would it black hole the address rather than the block the compromised credentials? The whole point of submission is to authenticate the submitter and to be able to trace spam back to the submitter and deal with the issue at that level of granuality. Blocking at that level also stop the credentials being used from anywhere. scalpel vs chainsaw. Just because you provide free email doesn't give you the right to not do the service properly. You encouraged people to use your service. You should resource it to deal with the resulting load and that includes dealing with spam and scans being sent with stolen credentials. As a free email provider you have the plain text. Mark There's other ways to stop this but they take actual hard work and rather more gear than a rusted up old asa you pull out of your closet as like as not. On Nov 28, 2014 2:10 AM, Mark Andrews ma...@isc.org wrote: Which is why your MTA should always be setup to require the use of STARTTLS. Additionally the CERT presented should also match the name of the server. There is absolutely no reason for a ISP / hotspot to inspect submission traffic. The stopping spam argument doesn't wash with submission. Mark In message 54778167.7080...@bogus.com, joel jaeggli writes: I don't see this in my home market, but I do see it in someone else's... I kind of expect this for port 25 but... J@mb-aye:~$telnet 147.28.0.81 587 Trying 147.28.0.81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:17:44 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello XXX.wa.comcast.net [XXX.XXX.XXX.XXX], pleased to meet you 250 ENHANCEDSTATUSCODES J@mb-aye:~$telnet 2001:418:1::81 587 Trying 2001:418:1::81... Connected to nagasaki.bogus.com. Escape character is '^]'. 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014 19:18:33 GMT ehlo bogus.com 250-nagasaki.bogus.com Hello [IPv6:2601:7:2380::::c1ae:7d73], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org --bcaec517c6c01f783d0508e015a5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable p dir=3DltrYes. Till that hotspots IP space gets blackholed by a major = freemail because of all the nigerians and hijacked devices emitting bot tra= ffic through stolen auth credentials. /p p dir=3DltrThere#39;s other ways to stop this but they take actual har= d work and rather more gear than a rusted up old asa you pull out of your c= loset as like as not. br /p div class=3Dgmail_quoteOn Nov 28, 2014 2:10 AM, quot;Mark Andrewsquot= ; lt;a href=3Dmailto:ma...@isc.org;ma...@isc.org/agt; wrote:br type= =3Dattributionblockquote class=3Dgmail_quote style=3Dmargin:0 0 0 .8= ex;border-left:1px #ccc solid;padding-left:1exbr Which is why your MTA should always be setup to require the use ofbr STARTTLS.=C2=A0 Additionally the CERT presented should also match thebr name of the server.br br There is absolutely no reason for a ISP / hotspot to inspectbr submission traffic.=C2=A0 The quot;stopping spamquot; argument doesn#39;= t wash withbr submission.br br Markbr br In message lt;a href=3Dmailto:54778167.7080...@bogus.com 54778167.70808= 0...@bogus.com/agt;, joel jaeggli writes:br gt;br gt; I don#39;t see this in my home market, but I do see it in someone els= e#39;s...br gt; I kind of expect this for port 25 but...br gt;br gt; J@mb-aye:~$telnet 147.28.0.81 587br gt; Trying 147.28.0.81...br gt; Connected to
Re: Transparent hijacking of SMTP submission...
- Original Message - From: William Herrin b...@herrin.us that's essentially a downgrade attack on my ability to use encryption which seems to be in pretty poor taste frankly. I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? Yup; that's what he's saying. This was in the technical press earlier this week -- or the end of last. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Transparent hijacking of SMTP submission...
- Original Message - From: William Herrin b...@herrin.us I'm not sure I follow your complaint here. Are you saying that Comcast or a Comcast customer in Washington state stripped the STARTTLS verb from the IPv4 port 587 SMTP submission connection between you and a third party? And, of course, *just* as I hit send, I remembered it was in RISKS, linking to EFF: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks Note that's dated 11 November, so this is a couple weeks old now. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274