Transparent hijacking of SMTP submission...

Owen DeLong owen at delong.com
Wed Dec 3 17:48:08 UTC 2014


I suspect it isn’t comcast at all.

I suspect it is the wifi operator and they happen to use comcast as an upstream. The RDNS points to the public address in front of the wifi. The proxy doing the rewriting is likely behind that.

Owen

> On Nov 29, 2014, at 10:46 AM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
> backing up a bit in the conversation, perhaps this is just in some
> regions of comcastlandia? I don't see this in Northern Virginia...
> 
> $ openssl s_client -starttls smtp  -connect my-mailserver.net:587
> CONNECTED(00000003)
> depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =
> my-mailserver.net, emailAddress = my-emailaddrss.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailsever.net,
> emailAddress = my-emailaddress.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =
> my-mailserver.net, emailAddress = my-emailaddress.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 
> ...
> 
> Certificate chain
> 0 s:/description=kVjtrCL8rUdvd00q/C=US/CN=my-mailserver.net/emailAddress=y-emailaddress.com
>   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> 
> ...
> 
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>    Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA
>    Session-ID-ctx:
>    Master-Key:
> BE7FB76EF5C0A9BA507B175026F73E67080D6442201FDF28F536FA38197A9B1353D644EEAF8D0D264328F94B2EF5742C
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    SRP username: None
>    Start Time: 1417286582
>    Timeout   : 300 (sec)
>    Verify return code: 21 (unable to verify the first certificate)
> ---
> 250 DSN
> ehlo me
> 250-my-mailserver.net
> 250-PIPELINING
> 
> 
> On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei
> <jfmezei_nanog at vaxination.ca> wrote:
>> On 14-11-29 11:07, Sander Steffann wrote:
>> 
>>> I am so glad that our Dutch net neutrality laws state that "providers of Internet access services may not hinder or delay any services or applications on the Internet" (unless [...], but those exceptions make sense)
>> 
>> 
>> However, in the case of SMTP, due to the amount of spam, most ISPs break
>> "network neutrality" by blocking outbound port 25 for instance, and
>> their SMTP servers will block much incoming emails (spam).  However,
>> SMTP is a layer or two above the network. But blocking port 25 is at the
>> network level.
>> 
>> I have seen wi-fi systems where you ask to connect to 20.21.22.23 port
>> 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP
>> server).  I would rather they just block it than redirect you without
>> warning to an SMTP server of their own where they can look and your
>> outbound email, pretend to acccept it, and never deliver it.
>> 
>> 
>> 




More information about the NANOG mailing list