FRESH

Hacker News

Show HN: SMTP Tunnel – A SOCKS5 proxy disguised as email traffic to bypass DPI

136 points by lobito25

by bmenrigh

3 subcomments

Large volumes of SMTP-like traffic are a huge red flag. Competent companies an ISPs should already be looking for large volumes of outbound mail to identify abuse / spam bots / data exfiltration.
If I came across this in netflow data I'd first assume outbound spam. But a hallmark of sending mail is that the client to server byte ratio is extremely skewed towards client -> server bytes, whereas running a VPN-like service is usually more balanced but still skewed towards server -> client bytes. I'd see the large server -> client byte count and immediately know something strange was going on.
That said, very little code here is involved in looking like SMTP. The SMTP obfuscation basically boils down to a few lines of plaintext between the client and server before a STARTTLS and then everything after that has nothing to do with SMTP. You could swap out the fake stub conversation quite easily to look like many other protocols. Whether the in to out bytes ratio makes sense for those protocols is another matter.
These days, I think the best thing to disguise as is HTTPS. There is so much variety in HTTPS traffic and such a huge volume of it, that spotting hidden tunnels is very hard.

by m132

3 subcomments

That's an interesting protocol choice, especially given the purpose. SMTP is probably the most filtered protocol on residential networks, SMB being a runner-up.

by ralferoo

0 subcomment

This seems daft to me as it would be trivial to identify on a network. Real SMTP will have significant data flow in one direction towards the destination, will close the connection fairly quickly once it's transferred (so no pauses) and has very little traffic being returned. It's hard to think of a worst protocol to try to hide a proxy in.

by dfajgljsldkjag

0 subcomment

So many comments explaining this is a bad idea while OP just asked claude code to write this and probably doesn't even know the difference between TCP and IP.

by thedougd

1 subcomments

Quite a few things use STARTTLS. I imagine the same technique could be applied to those other protocols, giving users some options as they fight hostile networks.
Clever

by Gathering6678

2 subcomments

I suppose it would be trivial to simply block or severely throttle high-volume SMTP traffic?

0 subcomment

by ok123456

0 subcomment

Back in the 90s, I ran telnet on the POP3 port so I could IRC in the lab during high school. The more things change, the more they stay the same.

by neilv

0 subcomment

How does this get past firewalls that would block the alternative, of SOCKS5 traffic tunneled through port-443 HTTPS with keepalives?
(Even with complete HTTPS decryption in the firewall, the downstream traffic could look like, say, random CSV data file downloads or innocuous HTML text, and upstream traffic could look like innocuous requests (avoiding large lists of problematic keywords).)

by lobito25

0 subcomment

Here's a similar project that uses IMAP instead of SMTP: https://github.com/x011/imap-tunnel-proxy

by Haaargio

0 subcomment

Get yourself an IP with Port 443 free and just use that.
SMTP is blocked by a lot of firewalls by default. All cloud providers do that and you need to request opening them up.

by mycall

0 subcomment

by usAyayo

0 subcomment

by YouAreWRONGtoo

0 subcomment