T-Mobile 'fesses up to secure email ban gaffe
Wild spam-hunting robots killed off SMTP connections
T-Mobile was caught blocking the secure transmission of emails earlier this month, and VPNs too, but the operator claims the former was a mistake while the latter is a legacy from a bygone era.
The problem turned up around the end of December when some punters found T-Mobile was responding to all encrypted SMTP connections, other than to its own servers, with a reset (RST) packet. That was then compounded into conspiracy when Mike Cardwell realised his Virtual Private Network connections weren't being let though either, which turns out to be an unrelated and unfixed issue.
T-Mobile employs a variety of techniques to make sending spam over its network difficult, including blocking connections made to arbitrary SMTP mail servers. Secure connections, which are then generally authenticated with a name and password, are permitted as they're useless to spammers, but for a week or two T-Mobile's network was rejecting secure connections as well as the insecure ones.
Before the age of spam one could connect to any mail server, anywhere, and ask it to relay messages, but these days servers won't accept mail unless it's addressed to someone it's responsible for, or comes from a trusted connection (so you can send mail through your own ISP's server addressed to the rest of the world). But a spammer can still connect to the mail server at, say, AOL, and send thousands of messages to AOL accounts, and if they did that from a pre-paid mobile number then they're effectively untraceable.
AOL's server may decide not to forward those messages, and may reject the connection as suspicious, but that's beside the point.
These days most mail servers allow account holders to connect remotely and send mail, therefore relieving them of the need to run a local server, but that means sending the account name and password which should only be done over a secure connection, and it's those connections that T-Mobile was erroneously blocking.
When it comes to VPNs things are slightly more complicated. T-Mobile used to sell connections which did not permit the use of a VPN, and customers on those contracts will still find their VPN use blocked. These days the operator tells us that all its mobile broadband offerings permit VPN connections, though that right may be withdrawn from a customer who abuses the fair-use policy.
So, on T-Mobile's network, secure SMTP should work, and for most people VPNs should work too, but a failing VPN is probably down to an old contract. So give T-Mobile a bell and ask before you start breaking down the packets or accusing anyone of turning Blighty into communist China. ®
No conspiracy theory hereAs the author of the post, I'd just like to say something. All I described was what I saw, and how I got around it. I compared its "technical" behaviour to that of Chinas firewall, because both use spoofed RST packets to disrupt connections. I didn't provide any commentary on my opinions of why they were doing the blocking, or whether or not they should. I don't consider it a "news piece", rather a simple technical description of a problem and a solution, for people to learn from. A lot of people have twisted what I wrote to make it sound like I'm describing some sort of conspiracy. If that's what you think, read my article again. To be fair, TheRegister has probably twisted it the least amount. Compare it to the boingboing.net interpretation for a laugh.
I'm with Mike
Like Mike Cardwell, I too run my own mail server. And for some few months now I have seen exactly the symptoms he describes (my logs show "lost connection after STARTTLS from unknown[188.8.131.52]" for example). But the problem was intermittent and I never got around to sniffing the traffic as I had promised myself I would. The problem is compounded by the fact that I use my own X509 certificates for TLS (so the certs are not signed by a separate certificate authority) and the mail client I use on my phone (k9mail) seemed to have problems with that. So, I wasn't /exactly/ sure that t-mobile was at fault. Now I am. have banged off a complaint to T-mobile via the forum (and pointed out that my contract is shortly due for renewal).
I run my own mail server because I like being in control. If my network provider interferes with my traffic, then I am not in control. So I'll get some PAYG SIMs to try others.
Breaking the spammers' business models
Since the so-called responsible parties such as T-Mobile are so continuously incapable of dealing with the spammers, why don't they ask for help? For example, if they provided the tools, would you be willing to donate a bit of your time to help make the spammers' lives even more miserable? T-Mobile and their ilk don't need to give us the guns, they can just ask us to help them recognize the targets.
This approach only depends on a few basic assumptions:
(1) Most people hate spam and the spammers are searching for a tiny fraction of suckers.
(2) The spammers can't obfuscate the parts of the spam that have to be understood by human suckers before the spammers can get the suckers' money.
If they (T-Mobile and friends) make it easy enough, then all it would take is a relatively minor effort by a relatively small fraction of the people who hate spammers to completely block the spammers from their suckers. I'm not suggesting that you can remake the spammers into decent human beings, but if you cut off their revenue streams from spamming, they will crawl under some other rock, almost surely a much less visible one.