1

For a small research project I want to collect characteristics of public wifi hotspots.

One topic that came up was SMTP proxy - is there a way to detect a proxy or could I just check whether the standard ports are generally blocked (which would be 25, 465 and 587)?

soey
  • 113
  • 3
  • 1
    Trying to connect to a host known *not* to host an SMTP server would be an option. If there was a proxy most of them would intercept *any* port 25 connection. – André Borie Jun 08 '17 at 11:16
  • What do you mean by "SMTP Proxy" ? You wouldn't be able to differentiate between a proxy, a relay and a server without sending an email through the system and trying to deduce the behaviour from the headers (and even then it would be mostly guesswork) – symcbean Jun 08 '17 at 12:39
  • @symcbean I meant a proxy that would read/scan/modify/delete that email before actually sending the mail to the server. Exactly that was my question: would there be any way or method to detect this? I couldn't think of any, except in the obvious case when that mail would indeed be modified or deleted (e.g. because it is considered spam). – soey Jun 08 '17 at 12:51
  • @AndréBorie If I connect to a "not-SMTP" server, what information would I get? I am interested if a proxy intercepts an email respectively if there is any possibility to detect this. I recently read a blog about a business man who claimed the hotel he was staying in, used a SMTP proxy. But this statement was kind of vague and is probably just an assumption, anyhow it made me curious. – soey Jun 08 '17 at 12:56
  • 1
    A proxy terminates tcp connections, simply ping your server and connect to it, there should be a difference in the ttl of the icmp reply and the syn/ack if theres a proxy. – Jonathan Allon Jun 08 '17 at 22:34

2 Answers2

1

If it is a logging only proxy, you cannot. As you speak of Wifi, I assume that you connect through DHCP, so the default router is obtained through DHCP. That router actually proxies all traffic between its Wifi interface and its internet interface. From the outside, you cannot guess whether a spying system has been installed here.

On the fly rewriting of packets at this low level is rather complex and is uncommon: those are generally only filtering proxies that can block unallowed traffic. You could imagine one specific tool that for example consistently adds a new address on the mail envelop (not the To: header, but the RCPT TO: SMTP command). But as it is simpler to just log all traffic on selected ports, I have neved heard of such a tool.

TL/DR: you cannot detect a proxy when you connect to a Wifi network that you do not own, because by definition the Wifi hotspot is a router and could log all the traffic that goes through it. So you should assume that everything that passes in plain text can be spied.

That is for the low level proxying possibility. A more common usage is that ISP block SMTP traffic (port 25) that is not for their own server. This is a best practice to avoid open mail relays. But the secure ports using SSL/TLS or requiring authentication (465 and 587) are generally not blocked.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

This is how we tried to address the issue in the end: For our project we configured a simple SMTP server that would reply with a customer banner-message upon connection. We simply verified the banner and were able to detect some public Wi-Fi networks that returned a different one. For those ones we assume that it is very likely that the traffic was intercepted.

soey
  • 113
  • 3
  • if you open a TCP connection to your server's IP and port 25, and you get a banner which is not the one your SMTP server sends, then obviously, there's an **interception** (ie, pretending to hold your server's IP) proxy. – JeanPierre Oct 06 '18 at 13:23