By now I guess you must have heard of Deep Packet Inspection (DPI), a method of looking at each IP packet passing through a gateway router for the purposes of making statistics or to shape the traffic of users depending on the content of the packet. A recent article in Heise News now describes what kind of other features such gateways seem to have built in these days. The report states that wireless network operator of O2 (Telefonica) had “accidentally” activated a feature for some time that did not only look inside the packets but also modified their content to prevent email being sent over an encrypted connection.
It’s easier than it sounds: Most email programs encrypt the connection, if they activate it at all, if the SMTP email server tells them at connection establishment that encryption is available. To this end, the server includes a “250 – STARTTLS” notification in the startup information exchange. To prevent the email client from activating encryption, the network based router simply overwrote this string with “250-XXXXXXXA”.
If the email program is configured to use optional encryption, the email is transferred without establishment of a secure connection and the user does not notice anything at all. The email transfer only fails if the email program is set to require transport encryption, which for example, has to be set manually in Thunderbird and is thus not used very often. In this case the user gets an error message which is how the whole story was uncovered. The same approach also works to stop encryption being activated between SMTP servers exchanging email allowing to look into email transfers between any two SMTP servers such a router sits in between.
Clearly this kind of packet inspection and modification does not serve traffic shaping purposes…