Re: [exim] the great TLS mystery

> This has been tampered with by an intermediary.
> In Exim, the "HELP" EHLO keyword is always last.

When the user telnet'd to port 8111, he got the proper response, not the
tampered response.

If this user were nearby, I'd be sitting in his kitchen with my malware
emergency kit until I got to the bottom of it. But he's a couple
thousand miles away. He's also pretty patient at trying this, but not
overwhelmingly tech savvy.

The three things that seem most likely to be doing the tampering are:

* his ISP cloud ... though why they would inject that AUTH is a mystery
... I'd be willing to chalk that up to pointless meddling by an ISP who
doesn't know themselves why they are doing it ... maybe they do the same
thing even if you are one of the 99% of users going to their SMTP servers

* antivirus on his PC ... same question about AUTH, but even less
motivation there ... I guess advertising AUTH could be somebody's idea
of stopping some know-nothing spambot, but they don't seem to actually
be stopping anything

* a virus on his PC ... this one is a reasonable guess since the reason
for AUTH is obvious ... if they can get the user to send credentials
before TLS, they can grab them


If I find out more about this, I will report back to the list.