1. Login

Beamtic's SMTP Server Was Hacked

How Beamtic's e-mail server was hacked, and what I did to limit future abuses.

344 views
d

By. Jacob

Edited: 2020-07-10 07:14

Beamtic's SMTP server was recently hacked into and abused to send spam. It effectively became an open relay, and I spend probably 1-2 days investigating what was happening, as well as making configuration changes to prevent future abuses.

It is unknown how many e-mail's was sent before the situation was discovered, but at the time the server was shut down, thousands of spam mails was stuck in the mail queue (without being sent).

Now, this is, unfortunately, something that is hard to avoid. When it does happen, you will therefor want to limit the extend of the abuse through rate limiting, SPF records and other options; the problem is, the server was not configured properly, and essentially allowed a user to specify any "from" e-mail they wanted.

How the attacker gained access

I did of course already anticipate that the server could be hacked, so I had already configured the server with fail2ban to prevent brute-force attempts. However, as it turned out, the attacker gained access to the root account—which was not password protected, and therefor managed to circumvent the security settings.

Since I only connect to the server with a key-file, via SFTP or SSH, and since the connection is limited to specific IP addresses, the root user had no password configured. I think this setup is actually standard on AWS EC2 instances—but clearly it is not a good idea, since an attacker might still connect on other open service.

Steps taken to secure the server

To prevent further access, I only had to add a password to the root account.

Some of the other steps I took is mainly intended to limit potential future abuse in case the server is again hacked into. Combined, these steps should severely limit the use that any attacker gets from hacking into Beamtic's SMTP.

Steps taken:

  1. The root account has been updated with a password.
  2. E-mail sending has been rate limited.
  3. Users can no longer specify a "FROM" address that does not belong to their account.
  4. fail2ban was updated with longer ban times.
  5. I am actively monitoring my logs for suspicious logins.

I also reported one of the IP addresses used, although it is unknown if the ISP in the involved country is taking these reports seriously.

If any of these e-mails got through to you, then I am sorry about any inconvenience it might have caused.

Share with your friends:

Tell us what you think:

  1. Blocking sender email addresses with Postfix
    How to block sender e-mail addresses and domains in Postfix to effectively eliminate marketing spam.
  2. How to set up SPF checking in Postfix
    Configure Postfix to check SPF records and fight e-mail spoofing.
  3. DNS SPF Records
    How to use SPF records to increase the likelihood that your e-mails will be received and not go to spam.
  4. Rate Limiting with Postfix
    Rate limiting your postfix server to limit the amount of e-mail a single user can send.
  5. Adding a PTR Record for an Elastic IP on AWS
    To add or update a PTR record for an AWS IP, you will need to contact Amazon through the: Request to remove email sending limitations form. Read more in this article.

More in: Mail Servers