This is lovely. On a whim I have just checked the DNS for the Guardian. I got the following results:
MX records:
guardian.co.uk mail exchanger = 30 guardian.co.uk.s200b1.psmtp.com.
guardian.co.uk mail exchanger = 40 guardian.co.uk.s200b2.psmtp.com.
guardian.co.uk mail exchanger = 10 guardian.co.uk.s200a1.psmtp.com.
guardian.co.uk mail exchanger = 20 guardian.co.uk.s200a2.psmtp.com.
So – all four MX records point to SMTP servers at psmtp.com. Now what are the IP addresses of those servers?
> guardian.co.uk.s200a1.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
Name: guardian.co.uk.s200a1.psmtp.com
Address: 207.126.147.10> guardian.co.uk.s200a2.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
Name: guardian.co.uk.s200a2.psmtp.com
Address: 207.126.147.12> guardian.co.uk.s200b1.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
Name: guardian.co.uk.s200b1.psmtp.com
Address: 207.126.147.13> guardian.co.uk.s200b2.psmtp.com
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
Name: guardian.co.uk.s200b2.psmtp.com
Address: 207.126.147.14
And where are those IP addresses?
Well the netblock 207.126.144.0 – 207.126.159.255 is owned by Postini which is based in Mountain View, California.
NetRange: 207.126.144.0 – 207.126.159.255
CIDR: 207.126.144.0/20
OriginAS: AS26910
NetName: POSTINI-ARIN2-ASSIGNMENT
NetHandle: NET-207-126-144-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
RegDate: 2004-11-30
Updated: 2012-02-24
Ref: https://whois.arin.net/rest/net/NET-207-126-144-0-1OrgName: Postini, Inc.
OrgId: POSTI
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2002-11-15
Updated: 2012-01-05
Ref: https://whois.arin.net/rest/org/POSTI
and robtex confirms that all four of the MX servers are also in Mountain View.
So, mail to anyone@guardian.co.uk goes to a mail server in California.
Now where is (or are) the webserver(s)?
> guardian.co.uk
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
Name: guardian.co.uk
Address: 77.91.252.10
So “guardian.co.uk” resolves to 77.91.252.10.
But an HTTP request to that address gets a permanent redirect (via HTTP) to “www.guardian.co.uk” as follows:
wget https://guardian.co.uk
–2013-06-24 21:46:02– https://guardian.co.uk/
Resolving guardian.co.uk (guardian.co.uk)… 77.91.252.10
Connecting to guardian.co.uk (guardian.co.uk)|77.91.252.10|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.guardian.co.uk/ [following]
–2013-06-24 21:46:03– https://www.guardian.co.uk/
Resolving www.guardian.co.uk (www.guardian.co.uk)… 103.245.223.192, 103.245.223.129
Connecting to www.guardian.co.uk (www.guardian.co.uk)|103.245.223.192|:80… connected.
HTTP request sent, awaiting response… 200 OK
So – “www.guardian.co.uk” is on one of two IP addresses (103.245.223.192 and 103.245.223.129). This is confirmed by another lookup of “www.guardian.co.uk”.
Non-authoritative answer:
www.guardian.co.uk canonical name = www.guardian.co.uk.global.prod.fastly.net.
So “www.guardian.co.uk” is on a machine at fastly.net called “www.guardian.co.uk.global.prod.fastly.net”
and that resolves to:
> www.guardian.co.uk.global.prod.fastly.net
Server: 4.2.2.1
Address: 4.2.2.1#53Non-authoritative answer:
www.guardian.co.uk.global.prod.fastly.net canonical name = global.prod.fastly.net.
Name: global.prod.fastly.net
Address: 103.245.223.192
Name: global.prod.fastly.net
Address: 103.245.223.129
And where are 103.245.223.192 and 103.245.223.129?
Well netblock 103.245.223.0 – 103.245.223.255 is, as you would expect, owned by Fastly Inc based in San Francisco California.
whois 103.245.223.192
% [whois.apnic.net node-2]
% Whois data copyright terms https://www.apnic.net/db/dbcopyright.htmlinetnum: 103.245.223.0 – 103.245.223.255
netname: FASTLYINC-AP
descr: Fastly, Inc
country: SG
admin-c: FIA3-AP
tech-c: FIA3-AP
status: ASSIGNED PORTABLE
mnt-by: APNIC-HM
mnt-routes: MAINT-FASTLYINC-AP
mnt-irt: IRT-FASTLYINC-AP
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20130124
source: APNICrole: Fastly Inc administrator
address: PO Box 78266, San Francisco, CA, 94107, San Francisco CA
country: US
phone: +1 410 703 8240
fax-no: +1 410 703 8240
e-mail: chris@fastly.com
admin-c: FIA3-AP
tech-c: FIA3-AP
nic-hdl: FIA3-AP
mnt-by: MAINT-FASTLYINC-AP
changed: hm-changed@apnic.net 20130124
source: APNIC
Netcraft reports:
Linux Apache 11-Jun-2013 103.245.223.129 Fastly, Inc
Linux Apache 9-May-2013 199.27.77.129 Fastly
Linux Apache 9-May-2013 199.27.77.192 Fastly
Linux Apache 8-May-2013 199.27.76.129 Fastly
Linux Apache 9-Apr-2013 199.27.77.129 Fastly
Linux Apache 8-Apr-2013 199.27.77.129 Fastly
Linux Apache 9-Mar-2013 77.91.248.30 www.guardian.co.uk
Linux Apache 6-Mar-2013 77.91.249.30 www.guardian.co.uk
Linux Apache 8-Feb-2013 77.91.248.30 www.guardian.co.uk
Linux Apache 30-Jan-2013 77.91.249.30 www.guardian.co.uk
(Well, at least they are running on Linux)
Way to go Guardian! Not only is their mail handled in the US, but all traffic to and from the website also appears to go the same way.
I assume that they knew that of course……
8 comments
Skip to comment form
First, let me add to the pile of irony – I’ll come back to the topic in a few lines:
“The National Security Agency Web site (NSA.GOV) is provided as a public service by the National Security Agency. NSA is committed to protecting your privacy and will collect no personal information about you unless you choose to provide that information to us”
Yes, that’s the Privacy Statement on the NSA website :p
Now, what you have dug up is actually not uncommon, but is -entertainingly- a proper breach of the UK Data Protection Act. The problem is that companies that had themselves fooled by the Safe Habor scam, sorry, scheme now have a problem too as the Snowden stuff shows it up for the illusion it is. We do this sort of lookup so often I actually should put it in a script :).
Author
Peter
What I find most amusing is the idea that any/all “letters to the guardian” or website commentary will, of necessity, have traversed the very boundary that facilitates interception.
Of course, no-one is looking though.
Mick
Well, there’s another fun scam going on too, but with MessageLabs (no surprise, actually). You will find companies that care about Data Protection use the Messagelabs server in Europe which is called something like (blabla)2.eu.messagelabs.com. That should be OK, right? It has “eu” in the name? If you geolocate this you will indeed find it in the EU (Amsterdam, I think), but there are 2 problems with that:
1 – their NS is in the US, so setting up an MITM redirect for intercept takes only as long as the propagation time of the DNS record
2 – the secondary MX is (to re-use my invented name) (blabla)2b.eu.messagelabs.com (notice the “b”). When you track that one it’s not “eu” at all – it’s in the US. So, run a denial of service on the first entry in the MX list and traffic will nicely fail over to a path that leads through the US.
I must admit, I do have some grudging admiration for a strategy that creates even redundancy in intercept, but they’re not the first. Say, for instance, that you don’t like Google so you never got Gmail. You search via Startpage.com. Well, Google is still tracking you. First of all via its ubiquitous Google analytics, but let’s assume you blocked that.
Enter Google fonts. Because it’s so stupidly complex to use your own fonts in a design, Google has created a service from where you can use their fonts via an API. Nice of them, right? Well, every single WordPress template is infested with them, and so there is more tracking possible. Your website, for instance, loads up
https://themes.googleusercontent.com/static/fonts/pontanosans/v1/gTHiwyxi6S7iiHpqAoiE3OY5mlVXtdNkpsMpKkrDXP4.woff – mine does too, but we’re working on replacing those parts of the template.
So, in theory it ought to be possible to co-opt every single WordPress site if you have a way to prevent caching..
Author
Peter
Well the messagelabs NS server location issue is moot because they use a .com domain name and that is US owned anyway. I have the same problem with most of my domain names (.net) because they can easily be subverted (or simply blocked) by changes to the root servers. I have one .uk domain name, but I’m reserving that for a site I have in mind for later. However, I agree that a simple DDOS of the messagelabs primary mailserver would have an interesting effect.
Your point about google fonts is interesting too. I would be worried if every website visit resulted in a call to google, but my understanding of the way google fonts works suggests that is not true. According to the FAQ on the api site (https://developers.google.com/fonts/faq) the compressed font file is only downloaded the /first/ time it is encountered, thereafter it is cached in the browser and subsequent uses do not entail a further callback. Of course I could be wrong and I may now do some experimentation, and as you say, if your adversary can disable the browser cache then every subsequent use /will/ require a callback.
What fun!
Mick
(Oh, and I do routinely block google analytics – see my old post here.)
In this context you ought to read The Register. I had to laugh.
I quote “Ed had innocently enrolled in a superpower spying agency, as one does, but was shocked to discover that the public communications network, designed to be entirely open with no security whatsoever and that was used for sharing absolutely every intimate personal detail, was being watched. Sometimes the most intimate information we shared was even recorded.” :)
See https://www.theregister.co.uk/2013/06/28/steve_bong_snowden_and_me/ – and enjoy :).
As for web analytics, I found Counterize to work reasonably well albeit a tad confusing because you can never quite predict when it’s emailing you :). Re. Google, I’m dealing with a case that’s been running for 3 months now and is about to cause an international company to get hit by regulators in 3 different countries. Their upper management hasn’t quite realised the media train wreck heading their way yet…
Author
Peter
I read it. Amused me too. As I said in my own post about Snowden, there is more than a touch of the Captain Renault’s about all this.
(I also use counterize, but I don’t let it email me.)
Mick
Hmm it appears like your blog ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I too am an aspiring blog writer but I’m still new to verything. Do you have any suggestions for novice blog writers? I’d definitely appreciate it.
Author
Almost certainly spam. But just in case it isn’t, I’ll let it through:- with the requested advice.
“Just write.”