Thursday, January 10, 2008

Spam from Coffee shops?

Bruce Schneier, one of my heroes, wrote that he runs an open WiFi at his home. One of his reasons was:
I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house.

I run my own mail server at home, and originally configured it to accept the STARTTLS command. Running an open relay is a no-no, and so unless you have authentication credentials, connecting to my server from outside will only allow local delivery. With the credentials, you can send mail to anywhere.

One day soon after configuring this, I was sitting in a local coffee shop (I think it was Caribou, but I am not sure), sending an e-mail and got a strange error message: it didn't recognize the STARTTLS command. After a few minutes head scratching trying to understand why my server wasn't recognizing it, I realized that I wasn't connecting to my home server. The coffee shop wireless (on top of their auto-sign-in process) was stealing all port 25 traffic and feeding it to their own server. I'm just guessing, but I'd bet a lot that this is to prevent someone from walking in, grabbing a delicious cup of coffee and a scone, and sending a few thousand e-mails saying "Dearest one, I am a 200 year old senile senior citizen who wants to give you a 25,123,999 (twenty five million, one hundred twenty three thousand, nine hundred ninety nine) U. S. Dollars".

I began running a second mail server on a different port, and now it works fine. Port 25 is still for anyone sending me mail (including, unfortunately, spammers) and the other port is for me when I'm away from home.

One of the reasons I set up my own mail server was security: checking e-mail is done via secure IMAP, sending is done via encrypted SMTP, and theoretically, I can send myself a message and later read it, from anywhere in the world, securely. I don't have anything that really requires that much security, but it's cool to have it.

And yet, it's not perfect. A coffee shop/hot spot could run a man-in-the-middle attack by carefully watching my outgoing traffic, and if I'm not careful about certificates, they've got me. I'm not sure why they'd want to, but it's possible.