Transparent hijacking of SMTP submission...

Mark Andrews marka at isc.org
Thu Nov 27 20:38:38 UTC 2014


Which is why your MTA should always be setup to require the use of
STARTTLS.  Additionally the CERT presented should also match the
name of the server.

There is absolutely no reason for a ISP / hotspot to inspect
submission traffic.  The "stopping spam" argument doesn't wash with
submission.

Mark

In message <54778167.7080808 at bogus.com>, joel jaeggli writes:
> 
> I don't see this in my home market, but I do see it in someone else's...
> I kind of expect this for port 25 but...
> 
> J at mb-aye:~$telnet 147.28.0.81 587
> Trying 147.28.0.81...
> Connected to nagasaki.bogus.com.
> Escape character is '^]'.
> 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
> 19:17:44 GMT
> ehlo bogus.com
> 250-nagasaki.bogus.com Hello XXXXXXXXXXXXXXX.wa.comcast.net
> [XXX.XXX.XXX.XXX], pleased to meet you
> 250 ENHANCEDSTATUSCODES
> 
> J at mb-aye:~$telnet 2001:418:1::81 587
> Trying 2001:418:1::81...
> Connected to nagasaki.bogus.com.
> Escape character is '^]'.
> 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
> 19:18:33 GMT
> ehlo bogus.com
> 250-nagasaki.bogus.com Hello
> [IPv6:2601:7:2380:XXXX:XXXX:XXXX:c1ae:7d73], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> 
> that's essentially a downgrade attack on my ability to use encryption
> which seems to be in pretty poor taste frankly.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the NANOG mailing list