יום שישי, 13 במרץ 2020

PowerMTA (SMTP Email Server) monitoring interfaces by SparkPost got exposed in Fofa search engine


PowerMTA is SMTP Server provided by SparkPost
(Simple Mail Transfer Protocol Server)

55,089 IPs with monitoring interfaces belong to verity of users and clients of PowerMTA, the SMTP Email Server provided by SparkPost - got exposed in FOFA cyberspace search engine.




PowerMTA product background:
Previously own by Port25 Solutions,Inc.



Later, SparkPost became Message Systems new company name for its cloud business, and Port25 products got rebranded as well under SparkPost, 







While many of the exposed interfaces has logs in read only mode, others have full control on the interface in admin mode.
Company got inform more than one time and refuse to handle to issue.

Some of the clients has in one log file metadata of more than 450,000 emails, so the estimated is metadata of the exposure is at least hundreds of millions of listings emails, this numbers can be billions.

Basically, it's heaven for spammer/scammer and other actors who collect emails for verity of uses, and that’s why I waited for the company to act, with no success.

Some of the users seems to be less legitimate and might be spammers and scammer who are misusing the product.

Many of the interfaces are running on Linux VPS (Virtual Private Servers)

The exposure can allow potential attacker to gain access to verity of activities included:
·  Status
·  Queues
·  Domains
·  Virtual MTAs
·  Jobs
·  Logs
·  Edit configuration
·  Show/enter license key
·  Start PowerMTA


Link to Fofa.so (like Shodan):

Dork

Due to the impact involved in this case and the amount of metadata with emails listing being involved, I decided to let the company to deal with the case much longer then usually needed, this while I knew they basically rejected any act in the case.
I waited almost a year.

During the time when reported the issue, the sum of exposed IP's were 24,835 IP’s, now the numbers are 55,089 IPs.


Timeline:

04.05.2019
First report by support email of port25
04/05/2019 
Auto replay from SparkPost email
with the case number 
and the following text:

“Hello,

Thank you for contacting Port25 Support. A Port25 Support Analyst will get back to you shortly during business hours (Mon-Fri 9:00am ET - 5:00pm ET). Please allow for additional response time when submitting a case over the weekend or during a holiday period. In order to better assist you, please ensure you have provided the software version and configuration file where applicable. If you have any additional information to add to this case, please reply to this email. Best regards, The Port25 Support Team”

No answer by email, and no Analyst contacted me.

13.05.2019
I call them by phone at 
Since I'm not a client they didn’t wanted to share information or data, they didn’t ask for more details.
They confirm they did receive the email about the issue.

16.05.2019
Answer from the Israeli CERT:
The Israeli Cyber EmergencyResponse Team (CERT) communicated with them as well, followed my report  - and basically got answer that SparkPost won't deal in the issue.

19.09.2019
I've sent another email regards the case to support at Port25, with no replay.

20.10.2019
An email sent to the privacy department at SparkPost, I got no replay.





Logs


Logs metadata:




Edit configuration 


Enter command interface


Domains interface


Current license key info



המצור הדיגיטלי של טינדר על רצועת עזה והאזורים שמעבר לקו הירוק, ומה הקשר לצפון קוריאה?

For my English reader: I've found that Passport  feature which is part of Tinder Plus services , is not supported in Gaza and behind ...