Vodafone India snoops on e-mail

By Abhijit Menon-Sen <>

An article about Vodafone injecting javascript into web pages reminded me of a problem I investigated when Hassath couldn't send mail when connected through her phone's hotspot.

My first response to any network problems is to run tcpdump, and I saw the following EHLO response from my own SMTP server. 

250-raven.toroid.org
250-PIPELINING
250-SIZE 307200000
250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Vodafone is transparently proxying outgoing SMTP traffic and replacing STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP client would, but openssl's s_client can do—the TLS negotiation fails. So it's not just a downgrade attack, it's actively sabotaging TLS connections too.

This was the case in mid-2014, and it's still the case at the time of writing. I wonder how many terabytes of email logs they have collected in the meantime, how they are stored, and who is reading them.

While I was tethered to my phone, I did a bit more testing. Vodafone India doesn't seem to mess with HTTPS connections, and IMAP connections are not downgraded either (i.e., the server's STARTTLS advertisement is not modified, and the TLS negotiation succeeds). Nor did it inject any Javascript into the web pages I tried (yet).

Update (2017-10-01): I happened to read a 2014 post by Steve Atkins titled STARTTLS and misplaced outrage, which says this is a "very, very, very well known" problem with the configuration of a PIX firewall feature named "MailGuard". He writes:

The most likely scenario, by far, is that the mailserver operator is behind a PIX, and has it configured like that. As port forwarding is specific to the interface that traffic comes in on, it’s quite possible that it’s only misconfigured for traffic coming over some networks. Drastically less likely is that there was a PIX installed – backwards – on the cellular providers network. Somewhat less likely still is that they’re simply lying about what they’re seeing. But those are the only three options.

In this case, I'm the operator of the mail server in question, and I know there is no PIX involved anywhere, and I know I'm not simply lying either. I also know that the problem happens only on Vodafone's network, so—unlikely as it may be—maybe there's a PIX installed backwards on the Vodafone network?