(Simple
Mail Transfer Protocol Server)
55,089 IPs with monitoring interfaces belong to verity of users and clients of PowerMTA, the SMTP Email Server provided by SparkPost - got exposed in FOFA - cyberspace search engine.
PowerMTA product background:
Previously
own by Port25 Solutions,Inc.
which
acquired
during
2015 by MessageSystems.
Later,
SparkPost became
Message Systems new company name for its cloud business, and Port25 products got rebranded as well under SparkPost,
While
many of the exposed interfaces has logs in read only mode, others have full
control on the interface in admin mode.
Company
got inform more than one time and refuse to handle to issue.
Some
of the clients has in one log file metadata of more than 450,000 emails, so the
estimated is metadata of the exposure is at least hundreds of millions of
listings emails, this numbers can be billions.
Basically,
it's heaven for spammer/scammer and other actors who collect emails for verity
of uses, and that’s why I waited for the company to act, with no success.
Some
of the users seems to be less legitimate and might be spammers and scammer who
are misusing the product.
Many
of the interfaces are running on Linux VPS (Virtual Private Servers)
The
exposure can allow potential attacker to gain access to verity of activities
included:
· Status
· Queues
· Domains
· Virtual
MTAs
· Jobs
· Logs
· Edit
configuration
· Show/enter
license key
· Start
PowerMTA
Link to Fofa.so (like Shodan):
Dork
Due
to the impact involved in this case and the amount of metadata with emails listing being involved, I decided to let the company to deal with the
case much longer then usually needed, this while I knew they basically rejected any act in the case.
I waited almost a year.
I waited almost a year.
During the time when reported the issue, the sum of exposed IP's were 24,835 IP’s, now the numbers are 55,089
IPs.
Timeline:
04.05.2019
First
report by support email of port25
04/05/2019
Auto
replay from SparkPost email
with
the case number
and
the following text:
“Hello,
Thank you for contacting Port25
Support. A Port25 Support Analyst will get back to you shortly during business
hours (Mon-Fri 9:00am ET - 5:00pm ET). Please allow for additional response
time when submitting a case over the weekend or during a holiday period. In
order to better assist you, please ensure you have provided the software
version and configuration file where applicable. If you have any additional
information to add to this case, please reply to this email. Best regards, The
Port25 Support Team”
No
answer by email, and no Analyst contacted me.
13.05.2019
I
call them by phone at
Since
I'm not a client they didn’t wanted to share information or data, they didn’t
ask for more details.
They
confirm they did receive the email about the issue.
16.05.2019
Answer
from the Israeli CERT:
The Israeli Cyber EmergencyResponse Team (CERT) communicated with them as well, followed my report - and basically got answer that SparkPost
won't deal in the issue.
19.09.2019
I've
sent another email regards the case to support at Port25, with no replay.
20.10.2019
An
email sent to the privacy department at SparkPost, I got no replay.
Logs
Logs metadata:
Edit configuration
Enter command interface
Domains interface
Current license key info