Transparent hijacking of SMTP submission...

Sun Nov 30 04:43:37 UTC 2014

On Sat, Nov 29, 2014 at 10:27 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 11/29/14 6:32 PM, Christopher Morrow wrote:
>> On Sat, Nov 29, 2014 at 3:09 PM, John Levine <johnl at iecc.com> wrote:
>>> In article <CAL9jLaY1q_RBkyB6kczKZUiFR5b1r3kuVz8WivWR0Rjj_oaGTg at mail.gmail.com> you write:
>>>> backing up a bit in the conversation, perhaps this is just in some
>>>> regions of comcastlandia? I don't see this in Northern Virginia...
>>>
>>> I don't see it in New Jersey, either.
>>>
>>> Is this a direct connection, or a coffee shop sharing a cable connection or
>>> something like that?
>>
>> my test was a home consumer cable link, not business grade and not
>> shared (more than cable is).
>
> The phenomena I reported was observed on a consumer cable service (not
> my own). it is now no-longer in evidence with that same source ip. In
> answer an intermediate observation, the cpe and the devices on it are
> sufficiently well understood now to rule them out.

ah, phew.

>
> from the mail servers vantage point...
>
> Nov 27 xxxxx nagasaki sm-mta[5698]: NOQUEUE: tcpwrappers
> ((reverse).wa.comcast.net, (ip) ) rejection
>

super odd, and telling.

> given that the client gives up because it can't startssl and therefore
> won't attempt to auth.
>
> whereas a successful attempt with the same source ip is:
>
> Nov 26 xxxxx nagasaki sm-mta[397]: STARTTLS=server,
> relay=c-(reverse).wa.comcast.net [(ip)], version=TLSv1/SSLv3,
> verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128
>

perhaps comcast (technician) was trying to do the 'right thing' here
and mistook 'but someone is operating a mailserver that the trust' vs
'spammer' from the situation with TLS being 'a good thing' and 'please
do not subvert my tls, yo!'

glad to see this returned to expected flows.