This is a topic that should interest all MXroute customers. I want to stress that this is not about a security issue with MXroute, and no MXroute services have been compromised. The only compromises I am referring to are customers using the same passwords across the internet, where other services may not end up being safe places.
Over time it has become increasingly apparent that spammers want to use the MXroute infrastructure to send spam. In fact, I’m convinced that they specifically target our customers to try to find ways to get inside and use our infrastructure to send that spam. For this reason, I want to stress that you should be using unique passwords for every single account on the internet. I won’t force you to, but I might not be able to do business with you for long if you continually use passwords that are easily stolen somewhere else on the internet and then used to abuse our service.
I’ve noticed that when spammers compromise customer account passwords at MXroute, they do not brute force (attempt passwords until they find one that works), and they do not use any secret path (like a compromised server on our side). Instead, they directly authenticate as our users over SMTP, using our customer’s email passwords. These events tend to happen in groups by server. This leads me to believe that the spammers are first looking for groups of customers (perhaps by MX record), searching to see who they can find on compromised password lists (passwords found from compromises of other services, where email login might correlate), and then they use one or two email accounts per day until they exhaust their findings. This typically only occurs in bursts of 1-3 days and then they rest for a bit.
If you’ve dealt with IT security, none of this is news or interesting (except perhaps the pattern that we see). If you haven’t, this may raise some questions. I’m going to take a shot at guessing these and answering them.
Are you sure this isn’t a problem with MXroute security, and that your servers haven’t been compromised?
As much as anyone can ever be. I may not know about some unpublished vulnerability used by state actors to undermine governments, but I do keep up with known vulnerabilities for both the open and closed source software that we use and apply patches as soon as they are made. I do audit the security of the servers regularly, and there have never been any signs of intrusion. Given how common it is for people to reuse passwords, and how many services have been compromised over the last decade, it is far more reasonable to assume that I am accurate in my understanding of the cause of these events.
Why don’t you enforce stronger passwords?
A couple of reasons, actually. The first being that if you reuse a password across the internet that matches security requirements, this does nothing to prevent the situation. The second is that there is no increase in security by customers leaving in annoyance and using another service that does not have these requirements. In the past when we had enforced this, customers did complain about stronger password requirements and they did take their business elsewhere to not be subject to it. Sometimes meaning well doesn’t result in a positive net impact on the result.
Where do people find these passwords?
Over time there have been so many compromised services across the internet, and in recent years people have begun compiling databases from these compromises into what are called “combolists.” These are gigantic databases of known login information from compromises that go at least as far back as the first major Yahoo compromise. I can show you three places right now where you can go and probably find some of your old passwords on a number of combolists:
Scary, right? I’ve found a number of my old passwords in there. I’ve found incredibly important corporate accounts for major businesses in them as well. This should highlight why it’s important that a password compromise ONLY compromise what was compromised, and not all of the rest of your internet accounts.
What do you do to combat this?
I suspend outbound mail for the compromised accounts and email the customer to let them know. These days it doesn’t happen for long before it’s caught, and plenty of filters prevent a number of these events, but it still happens and should be highlighted.
Why not use two-factor authentication?
We wanted to provide basic SMTP/POP/IMAP service, and not something that requires direct integration by the developers of your email applications. The protocols themselves do not support two-factor authentication. We can talk about things like app passwords (unique passwords generated by us for your applications), but that really defeats the type of service that we set out to be and isn’t actually two-factor authentication in the first place.
Aren’t you afraid that this makes MXroute look bad?
Absolutely not. They want your email accounts because they want to use the service we’ve worked so hard to build out for you. We should be flattered, and you should know that it is an indication of the quality of work that is being done to provide you with a high quality service. The higher the quality of email delivery, the higher the value the service will have to spammers.
If you’d like to discuss this or ask questions about it, we’ve created a space for that: