Vodafone India snoops on e-mail

By Abhijit Menon-Sen <ams@toroid.org>

2015-12-28

An article about Vodafone injecting javascript into web pages reminded me of a problem I investigated last year when Hassath couldn't send mail when connected through her phone's mobile hotspot.

My first response to any network problems is to run tcpdump, and I saw the following EHLO response from my own SMTP server.

250-raven.toroid.org
250-PIPELINING
250-SIZE 307200000
250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Vodafone is transparently proxying outgoing SMTP traffic and replacing STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP client would, but openssl's s_client can do—the TLS negotiation fails. So it's not just a downgrade attack, it's actively sabotaging TLS connections too.

This was the case in mid-2014, and it's still the case at the time of writing. I wonder how many terabytes of email logs they have collected in the meantime, how they are stored, and who is reading them.

While I was tethered to my phone, I did a bit more testing. Vodafone India doesn't seem to mess with HTTPS connections, and IMAP connections are not downgraded either (i.e., the server's STARTTLS advertisement is not modified, and the TLS negotiation succeeds). Nor did it inject any Javascript into the web pages I tried (yet).