Beamtic's SMTP server was recently hacked into and abused to send spam. It effectively became an open relay, and I spend probably 1-2 days investigating what was happening, as well as making configuration changes to prevent future abuses.
It is unknown how many e-mail's was sent before the situation was discovered, but at the time the server was shut down, thousands of spam mails was stuck in the mail queue (without being sent).
Now, this is, unfortunately, something that is hard to avoid. When it does happen, you will therefor want to limit the extend of the abuse through rate limiting, SPF records and other options; the problem is, the server was not configured properly, and essentially allowed a user to specify any "from" e-mail they wanted.
How the attacker gained access
I did of course already anticipate that the server could be hacked, so I had already configured the server with fail2ban to prevent brute-force attempts. However, as it turned out, the attacker gained access to the root account—which was not password protected, and therefor managed to circumvent the security settings.
Since I only connect to the server with a key-file, via SFTP or SSH, and since the connection is limited to specific IP addresses, the root user had no password configured. I think this setup is actually standard on AWS EC2 instances—but clearly it is not a good idea, since an attacker might still connect on other open service.
Steps taken to secure the server
To prevent further access, I only had to add a password to the root account.
Some of the other steps I took is mainly intended to limit potential future abuse in case the server is again hacked into. Combined, these steps should severely limit the use that any attacker gets from hacking into Beamtic's SMTP.
- The root account has been updated with a password.
- E-mail sending has been rate limited.
- Users can no longer specify a "FROM" address that does not belong to their account.
- fail2ban was updated with longer ban times.
- I am actively monitoring my logs for suspicious logins.
I also reported one of the IP addresses used, although it is unknown if the ISP in the involved country is taking these reports seriously.
If any of these e-mails got through to you, then I am sorry about any inconvenience it might have caused.