Steven.Glogger@swisscom.com wrote:
well, actually.. it seems someone from us confirmed it in the comments of http://blog.neocid.li/?p=105 ...
Quite interesting read. As that states, if I understand correctly, that per-default one gets into the group where outbound mail to non-swisscom boxes get filtered.
If one uses SMTP-AUTH over Port 25, all is fine and you get re-directed to port 587 and all is 'fine'.
I guess it only becomes active when you reset your DSL session (rock solid at my place thus that nearly never happens afaik) as I still have:
tcp 0 0 194.1.163.39:25 92.105.157.240:45506 ESTABLISHED
But there is a bigger issue with the above, if that is truely how it happens:
- It is not documented anywhere on the Swisscom side - It was not communicated to customers - It does not account for people doing TLS, which would make the connection crypted - More importantly: it sets a very dangerous precedent that Swisscom is hijacking connections.
The last one is the really worrying part.
I don't mind port-25 filtering too much (I actually would fully agree with sending ICMP Destination Port Admin Unreachable), as long as there is an easy&non-cost way to disable that.
Redirecting traffic though, and thus being able to read along now that is quite a very very bad thing.... and I truly hope that is not the case.
I do hope that Swisscom realises that by doing that they will never be able to claim anymore that they can't do packet inspection, because then they are doing so, and that is a very dangerous thing, for them, but also for the customer (I am sure IPS and Storage folks won't mind suddenly selling you lots of hardware though) and of course the government being able to require even weirder things (we want you to block website XYZ, you can look at the Host: header, just filter it out...); yes I know taps are possible, but that is passive and thus different from actively participating and thus modifying packets)
Also, it all is futile the moment botters grow up and start using TLS.
Any public or non-public comments on that, and more-over better, a way to put straight what is then truly going on? :)
Greets with Love & Cuddles (as Swisscom works perfectly fine for me), Jeroen