Autoresponse Plus Security Issue Over the past week, we've been made aware of a potential security issue affecting users of Autoresponse Plus. Currently, the instances we've seen have been related to ARP3 and are a serious concern. In a nutshell, hackers are hacking into Autoresponse Plus accounts (not the server, but the actual email client itself). NOTE: This vulnerability is not exclusive to, or in any way related to, the hosting provider or server choice. This is a problem with autoresponse plus (ARP/ARP3). It has been found on a variety of webhosts running all different applications and across a number of different industries and markets. As a result, here is some of what is happening: 1. Sending out blatant spam, here' an example of a message: Hello Friend, Note: This offer will be gone without any notice. Your KINDLE competition will surrender like little crybabies! Get this with 72% DISCOUNT! HURRY! 2. Changing account information inside of your autoresponse plus installation. In other words, they are actually CHANGING the email address set up in your ARP account. This means password resets, notifications, etc. will all be going to the email address they change it to. (So far, these all appear to be Hotmail, Gmail, and Yahoo top level domains). 3. Downloading your email list. We have verified that, inside several accounts, the "hacker" has downloaded the contact list. For obvious reasons, this is a big issue... How Is Autoresponse Plus Getting Hacked? While we are not 100% certain of all the ways in which this is happening due to log file expiration on the servers we've looked at, it appears that it is due to a "SQL injection". To keep things simple, there is a problem with ARP, which exposes elements of the database to attackers. The Autoresponse Plus (arp3) admin password is not encrypted, and a hacker can essentially overwrite the admin user email address and use it to retrieve the password as well as retrieve an export of all email addresses in the system. How to Fix the Problem The only sure fire way to solve the problem is to REMOVE Autoresponse Plus (ARP3 from your server). There are several ways in which the security can be compromised. Next Steps There's a good chance your IP reputation has been affected by the hack, so you'll want to do a few things right away to restore your reputation and improve it overall. 1. Remove ARP3 (none of our clients or partners have "fixed"�. They've simply opted for another solution such as Interspire. 2. Check your IP address at Senderscore.org 3. Verify that your server has all of the necessary authentication on it (DKIM, domainkeys, SPF, etc.) 4. Verify that your feedback loops are all set up and working 5. Watch your complaints VERY closely for the next 7-10 days to make sure the problem is resolved (if you've not set up a new email client) 6. Practice impeccable list hygiene (in other words, get the bad subscribers out of your list ASAP). You will want to review all of the bounce data outside of Autoresponse Plus as Autoresponse Plus (ARP) is rather inaccurate in the bounce reporting statistics due to the fact that it's not been updated in some time, the bounce rules in particular. 7. Until your reputation has rebounded to upper 80s/lower 90s, you'll want to clean your list after each broadcast or promotion. After that, you'll want to practice routine list hygiene on a weekly basis and stay on top of complaints, removing those subscribers from your list ASAP. 8. Watch for irregularity in your mail log (such as mail bound to people not on your list). For more information on this security issue as we come across more examples, for alternative email clients, and general email deliverability information, visit www.EmailDelivered.com.
Related Articles -
Email Deliverability Best Practices, Email Deliverability,
|