Comment by m132
2 days ago
That's an interesting protocol choice, especially given the purpose. SMTP is probably the most filtered protocol on residential networks, SMB being a runner-up.
2 days ago
That's an interesting protocol choice, especially given the purpose. SMTP is probably the most filtered protocol on residential networks, SMB being a runner-up.
SMTP isn't filtered it's port 25 that is. And from a short look at the readme it looks like it's using the transmission port 587 which shouldn't be filtered.
Any decent firewall these days is layer 7 aware. The port doesn't make a difference
I was thinking this too. I'm assuming it doesn't look like an SMTP server from the outside? Because if it does, that would absolutely land your IP up on many, many DNSbls very quickly if it started getting probed.
Interesting idea though, spoofing other protocols than HTTP/HTTPS are probably a good idea for censorship evasion in countries with incredibly strict national firewalls.
TECHNICAL.md lays it out a bit more, but it claims to be RFC 5321 compliant with a realistic initiation sequence so it should somewhat look like a real SMTP server for the first bit.
Ending up on any DNSBLs shouldn't be a problem unless you have a static home IP you plan on running an actual SMTP server from after this though.
>SMTP traffic on port 587 (submission) is expected and normal
Any residential dynamic or static IP with this port opened is definitely going to get flagged. Most ISPs already prevent these ports from being open, either by policy or by residential routers.
It would probably very quickly end up on something like SpamHaus's PBL, which looks for this kind of thing.[1]
I would imagine you would also find yourself on Shodan pretty quickly getting hit with constant nmap & login attempts from malicious actors. Spam bots are always looking for insecure servers to send emails from.
I feel like ssh, SFTP, or even a secure DNS server would probably make more sense as something to hide traffic from DPI than an SMTP server.
[1] https://www.spamhaus.org/blocklists/policy-blocklist/
5 replies →
What would you reach for out of curiosity?
For me RTP+rateless erasure codes come to mind, but I’m feeling Rube Goldbergy today.
All boils down to the kind of DPI you're trying to work around, but generally the most common encrypted or otherwise difficult to process protocols strike me as the most preferable.
RTP isn't a bad choice, especially the WebRTC flavor of it:
- it's UDP; there's no need to worry avoid the TCP meltdown
- it's most commonly used for peer-to-peer and PBX communication; packets going in and out, from and to random IPs are expected
- high bandwidth RTP traffic is normal, so are high irregularities
- it most often carries video; huge room for steganography
- WebRTC makes encryption mandatory
I've come across corporate networks that do block non-intranet WebRTC, however this probably isn't feasible at the Internet scale.
Other good choices are QUIC and WebSockets (assuming your network doesn't do MitM), and SSH, which by default comes with strong protection against MitM and actually has SOCKS5 tunneling built into the most popular implementations (try `ssh -D`). SSH is what some of my friends successfully use to bypass the Great Firewall.
That being said, the shift of client-to-server SMTP from a common part of everyday internet traffic to something rather esoteric may have created some potential for firewall misconfigurations, and those might result in it being passed with minimal inspection. All depends on your particular firewall in the end.
I think HTTP web sockets would be an interesting tunneling protocol.
Tor has a transport using exactly that.
https://blog.torproject.org/introducing-webtunnel-evading-ce...
You don't need websockets, just Connection: Upgrade to anything you want. You can upgrade directly to ssh protocol and just pass on decrypted data from https socket to local port 22 from then on with no further processing.
1 reply →
IP over Avian Carriers