Today I was at one of my favorite coffee places, sipping on a cup and using their free WiFi to catch up on my email. About 15 minutes after sending a message to some folks on our staff, I received a rejection notice from MAILER-DAEMON:

*Delivery has failed to these recipients or distribution lists:*

staffaddress@donet.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.


Well, this seemed mighty curious. Were our own security policies blocking my email to our staff? A little further down I discovered the following:

*Diagnostic information for administrators:*

Generating server: relay.wanderingwifi.com

staffaddress@donet.com
#< #5.7.1 smtp; 550 5.7.1 Message content rejected, UBE, id=24516-01-3>
#SMTP#


This seemed even more curious. First, I use Donet corporate email servers for both inbound and outbound email, so what is “relay.wanderingwifi.com”, and who told this server it was OK to scan and relay my email?  Second, my work related email about Donet business was tagged as UBE, unsolicited commercial bulk email — strike two.  The only conclusion I could draw was that my coffee shop was using a provider that inspected my packets as they flew across the wire, saw something destined for port 25 on my corporate mail server, and passed it through a spam scanning system of their own first.

While I understand the potential technical advantages of doing this (stopping rogue systems on the free WiFi from unobstructed spamming, whether intentionally or as the result of malware on unprotected systems), it also raises privacy concerns. SMTP is an inherently insecure protocol, but my email was not simply routed as I expected it to be — it was pre-processed by a server other than the one I had chosen for my outbound mail gateway.  I’m sure somewhere in the WiFi legalese I agreed to such intrusive behavior, but I still feel that a line has been crossed that shouldn’t have been.

Next time I use a WiFi hotspot to send email, particularly something I want to make sure stays within our corporate network, I’ll connect through the VPN first.

1. Eric Westfall Says:
   June 23rd, 2009 at 9:25 am

   Very interesting indeed, I would be curious to know if they also prevent IPSEC and L2TP pass-through, thus preventing VPN connections. This also reminds me of a post I read on Slashdot a while back that discussed the prevalence of ISP outbound email filtering…. http://ask.slashdot.org/article.pl?sid=08/01/31/2130251

2. James Says:
   June 23rd, 2009 at 10:20 am

   If you are a Donet customer and find yourself in a similar situation, you can always try and use encrypted SMTP/POP3/IMAP conversations. We support them for a large majority of our email services to protect data in transmission.

   Configuring your mail client to use encryption is often as simple as checking the box next to “Use Secure Socket Layer (SSL)”.