Poor Security

Its amazing really. I have an insane amount of free time and yet my blog hasn't been updated in months. Well I finally found something to write about so lets see how this goes.

So I've using Gmail for quite a while now. I've got it configured to pick up mail from my Hotmail, Live, MSN, and two Road Runner email addresses. Its essentially a web-based email client at this point. I made one Road Runner address specifically to use when contacting potential employers since people doing searches for 'ddaydj' might not give a good first impression. The problem I've run into is when you send mail through Gmail using a 3rd party email address, it uses their servers and so its possible for the person on the other end to see my Gmail address.

Thankfully, Google recently fixed this by allowing you to specify an SMTP server for outgoing mail on each address allowing you to hide your Gmail address. I was able to configure my Microsoft accounts just fine since they all use the same server. I have been unable to get my Road Runner accounts to send mail though. When trying to configure Gmail to use their SMTP servers, I get an authentication error suggesting my user name or password is incorrect. After playing around with everything I could think of I came to the conclusion that there was something going on with Road Runner's servers. I gave them a call and ended up chatting with the national help desk who was of little help at all. Yesterday, I went ahead and tried to do a live chat and see how that went. Here's the log from that.

user ddaydj has entered room
analyst JimmyW has entered room
JimmyW> Hello! Thank you for choosing Road Runner Internet technical Chat. My name is Jimmy W. How may I help you today?
ddaydj> i wanted to know if its possible for me to access your smtp servers from outside your network?
JimmyW> Yes, it is possible.
JimmyW> Be assured, I am here to assist you.
JimmyW> I will definitely look into this. To get us started, I will need to verify some security information and then we can move on to understanding your setup. We will need to perform some troubleshooting steps together, and I'll be running some tests on my end. Feel free to ask questions along the way. Before we begin, please provide the following three pieces of information for security check and to verify your account: 1. The account holder's 10 digit telephone number. (xxx-xxx-xxxx) 2. The account holder's Full Name. (First and Last) 3. Please tell us your name.
ddaydj> [censored], [censored], <<> Thank you for the valuable information.
JimmyW> [censored], I understand that you want to know that if you can use Road Runner outgoing server when you are not at home. Am I correct?
ddaydj> well, actually i used a web-based email client, so the connection to use the smtp server would be from their servers, and not my home computer
JimmyW> Yes.
JimmyW> Which program/software are you using to access your e-mails? (Road Runner Web Mail, Outlook or Outlook Express).
ddaydj> i'm using a web-based email client, not road runner web mail
JimmyW> What is the name of that Web-based client?
ddaydj> gmail
JimmyW> I am sorry but in this case you will have to use the server settings provided by Gmail.
ddaydj> why is that?
JimmyW> Which e-mail address are you using with Gmail?
ddaydj>i have two @hawaii.rr.com addresses that i use
ddaydj> the first is ddaydj, the second is [censored]
JimmyW> Okay, is it Outlook that you are using?
ddaydj> no, i'm using gmail
JimmyW> Do you mean that you are using Road Runner e-mail address for login to Gmail?
ddaydj> no, i have configured gmail to send and receive mail to and from roadrunner. currently it is able to pull mail from your pop server, but i get an error when it tries to send mail using your smtp server. i do not have this issue with the 3 other accounts that i have configured in the same way.
JimmyW> Where you have setup the accounts in Outlook or Outlook Express?
ddaydj> gmail
JimmyW> How do you open Gmail to access your Road Runner e-mail?
ddaydj> just a second
JimmyW> I do not want to rush you but I am awaiting your response.
ddaydj> [censored] that is a picture of my accounts in gmail. as you can see i am able to receive mail without problems. i have also configured my other email accounts to use their respective smtp servers
ddaydj> are you able to view that image?
JimmyW> Yes, I can see that,.
JimmyW> I am sorry but you will have to contact Gmail and get this issue resolved as we do not have tools to get this issue resolved.
JimmyW> I can help you with the server settings of Road Runner.,
ddaydj> alright then, can you tell me what port i should access the smtp servers on? and do they support tls/ssl?
JimmyW> Incoming Mail Server (POP3): pop-server.hawaii.rr.com Outgoing Mail Server (SMTP): smtp-server.hawaii.rr.com
JimmyW> Incoming Mail Server port (POP3): 110 Outgoing Mail Server port (SMTP): 25
ddaydj> and does the smtp support encryption with ssl or tls?
JimmyW> No.
JimmyW> You have to give authentication to outgoing server.
JimmyW> And you will have to use the complete e-mail address in the username field if you are using the authentication.
JimmyW> For more information about Road Runner products and services, please visit our website http://help.rr.com and check for online FAQs.
JimmyW> Is there anything else I can assist you with regarding Road Runner products and services?
ddaydj> no that was it. but can you confirm for me once more, that if i tried to check my email using say outlook express while connected to a comcast internet connection, i would not have any issues?
JimmyW> You will not have any issues if you will give authentication to the outgoing server.
ddaydj> ok, thank you.
JimmyW> And if you will use the above provided settings.
JimmyW> My pleasure!
JimmyW> Thank you for contacting Road Runner technical support, again my name is Jimmy W, we value you as a customer.
JimmyW> God bless you!
Obviously, this guy was not very helpful. Later on I tried to setup a Road Runner account on my phone which is connecting through T-Mobile's network. Accessing the POP server worked without issues but again I got an authentication error with the SMTP server. As I mentioned to the tech, I believe that Road Runner only lets people inside their network access their SMTP servers, meaning you'd have to be on one of their lines to send email.

But here's the fun part! I installed Thunderbird on my computer and setup it up to check on of my Road Runner accounts. I then tried to send a message. It went through no problem... but wait... I never gave it my password during setup. That is usually asked for when it first checks mail and I told it to skip that step. Thinking I had maybe typed my password and forgotten about it, I deleted my POP account and disabled authentication on SMTP. Sending an email failed. I turned SMTP authentication back on but gave it a false user name and again did not specify a password. My email went through and on the other end I got a message from FakeUser@hawaii.rr.com.

So from what I can tell, the only security Road Runner is using on their SMTP server is a user name, any user name! There's no real authentication going on, so anyone inside Road Runner's network could use any user name they like, even one typically used by someone else... like other users or even businesses.

Update: I gave Oceanic a call to see what they had to say about it. The customer service guy I spoke to was surprisingly knowledgeable. He confirmed that they do not use any authentication for outgoing mail, but they do check to make sure that your IP address is inside their scope. He stated that this was a common practice with email and was the way things are, citing Hotmail and Gmail doing the same thing.

Well, I went and checked Hotmail and Gmail to see how their services work. Both of them not only require a valid user name and password, but also use an encrypted connection for sending email. While an while encryption might not be as necessary for Road Runner's mail servers since they only allow mail sent from within their network, authentication is used by both those sites. I'm not sure how other ISPs handle their email, so I'm not sure if Gmail and Hotmail are more secure out of necessity or if they are following the trend. I'll see what else I can find out about all of this.

No comments: