New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Warning: Heficed Intercepts SMTP Connections to Spy on your Mail!
Heficed (at least in their frankfurt location) intercepts SMTP connections and removes the STARTTLS option in order to spy on outbound email. This is trivially visible with openssl s_client, for example:
# openssl s_client -4 -starttls smtp -connect smtp.gmail.com:25
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
Comments
Edit: got confused with another provider
Are you sure? Port 25 normally isn't for STARTTLS. So, try this again with port 587 and share the results. I think you are incorrectly blaming someone. So, for now I call BS.
Note that I don't even know who/what Heficed is.
That line typically means the "250-STARTTLS" line wasn't found as part of the EHLO's response.
Your post probably won't generate much interest (or outrage) here because probably few if any of us use Heficed. (I had never heard of them until now.)
Is this on a VPS that you rent from them?
Have you opened a ticket asking about this?
When I try the OP's line, I get Google's server certificate.
I wonder whether this is consistent behavior that the OP is seeing.
They do capture and filter outbound mail. This isn't new. OVH has been doing it for years with a vade appliance. If it's a big deal and you're legitimate, they're open to conversation just open a ticket. They may charge for their time if they agree to exclude you. Alternatively, use a non standard port and a relay outside of their network to send mail.
Otherwise, the only real loss is the little lock icon at Google, and a little privacy in between. Email isn't well known for privacy anyway, but customers do appreciate that little lock.
This isn't about filtering outbound mail, sure, tons of providers block port 25 until you reach out to the provider. Of course I don't have an issue with that. This is different.
This is having a middlebox that not just rejects outbound port 25, but actually intercepts the connection and edits the contents. In my case it actually prevented email delivery since the recipient server had DANE enabled. I've never heard of a provider editing TCP connections live.
No it is about filtering mail. That's why they're doing it. Do you have information about it that I don't?
Yep, if you go rent a server from Heficed in Frankfurt, contact support and get them to unblock port 25 by showing you're a legitimate email sender, they'll edit any outbound TCP connection on port 25 and prevent TLS initialization. The gmail sample here is just because its pretty clear gmail supports receiving mail over TLS
Many/most ISPs do this with middleboxes, several providers force you to use their smart host with no option (last I used redstation?), stripping STARTTLS is a pretty common tactic
Huh? For sending email from a different domain port 25 STARTTLS is the only way to do it. Port 587 and others are for submitting mail to a mailserver that is the originator for the domain in the From.
To clarify how I know all this, my account with them is excluded from it. I paid well for their time.
Apparently not, but support seemed to not be aware of it when I asked them. This account is (obviously) after talking to support to have them disable outbound-25 blocking (in this case sending from my own IPs that I own and BGP announce), and when I reported the STARTTLS filtering to support their response was that there isn't a filter and I should use a different port (so...I guess not send email?). Apparently you got an actually competent support tech instead
Yeah that's weird. They must have some new techs. When they started the brand early on I jumped in and they were really cool about everything.
Yep, ISPs, sure. Providers being explicit about smart hosts I totally get. Providers running a middlebox with no information about it on their site, support techs not being aware of it, editing TCP connections from customer-owned IP addresses BGP announced directly after talking to support to get outbound email ublocked at all...now that I haven't seen before.
OVH's is better and more hidden, but I learned about it when I ran an inbound relay there. It accepted mail, held it, and then delivered to my other servers outside of their network. One day they blocked SMTP and emailed me a list of email subjects that they deemed spam leaving their network. They only went out to my servers.
I went digging for fun.
https://www.heficed.com/press-releases/heficed-launches-disruptive-ipv4-address-platform/
Really subtle:
"A dedicated Abuse Management team works to ensure no IPv4s are being misused for spam or over illicit activities, while Halon and Abusix are used as anti-spam filters."
Halon is what they're using to capture and filter. I bet if you mention it by name they act differently.
Right, well its doubly confusing because Heficed is all about the "rent IP addresses from others" stuff. For that I can understand wanting to be really strict about spam, but its somewhat different when the IPs are BYOIP and not rented, instead wholly owned by the customer.
Of course doubly so because these days DANE is becoming more popular and editing the connection to block STARTTLS doesn't just leave the message unencrypted, it actually results in delivery failures.
You are completely right. I was thinking from the perspective of an email client, which isn't what this is about.
It seems very invasive what Heficed are doing.
A good catch on your part to have noticed this.
It's one of those damned if you do, damned if you don't things. When they started they didn't block SMTP, and IP rental has been their big appeal which is pretty dangerous territory. As more and more do it, it'll seem less unusual. Though it probably will invoke the same emotions and understandably so. We had considered the concept at an old job using a MC appliance because people are always complaining about spam from that provider and SMTP blocks were deemed too hostile to users.
But SMTP blocking is very different from TCP connection editing. Most providers block outbound 25 until you provide ID/ask support/etc, and most providers then still monitor various IP reputation services. Most big email players (eg Microsoft/Yahoo/etc) even have a service for hosting providers or IP owners to monitor for IP reputation issues, which lets them shut down spammers as they appear.
These approaches seem to work quite well for most providers. Sure, ISPs sometimes edit SMTP, but a hosting provider editing SMTP after doing verification to get it enabled in the first place I've really just never seen.
That's a lot easier said than done when you're trying to balance the needs of everyone and you don't have root to your customer's boxes. Competitive on price means you need automation. Competitive on behavior means you give customers time to resolve issues. Competitive on compliance with other networks means you limit the amount of junk leaving your network.
When you're trying to balance what makes all of these people happy it's really hard and there's no perfect solution:
Of course the logical answer is #3 doesn't pay you so fuck them, but then you don't know how many customers you're not getting because everyone complains about the quality of your IP reputation and the junk being allowed to leave your network. And that's why my old job basically decided fuck #3 and I couldn't prove that it lost us money. Out of somewhere around 10,000 NPS surveys maybe 3 mentioned IP reputation.
@BlueMatt : Just wondering: can/could you use an SSL/TLS connection from the start instead of using STARTTLS?
No, that's not the way email works. For sending via a smarthost (or through your provider) that's how things work, but if you're running a proper email server and sending email between domains, you have to use port 25 and you have to use STARTTLS if you want TLS.
Oh, of course, right. (I've just made the same mistake that the guy above made -- sorry!)
Yep, I totally get it, balancing these things is hard, especially when margins for VPS providers keep getting compressed. Sadly, the "install a middlebox and screw with user packets" also results in losing customers (me!) if only because doing so results in default-configured Exim/Postfix refusing to deliver mail to half the mailservers in Germany (for a VPS in Frankfurt...)
Well, I wonder what under illicit means. Or maybe over illicit means more than illicit, criminal or something.
Getting the expected STARTTLS connection with google cert on OVH (Kimsufi). Can you explain further what filtering they do? Should I be worried using them for personal email?
Not getting any TLS stripping on my KS either. Don't try to legitimize a shady practice with vague hand-waving at a well-known provider implying "everyone does that".