I recently watched the Laundromat with Antonio Banderas, Gary Oldman and Meryl Streep. It’s a great film. It’s about the Mossack Fonesca scandal. A law firm that setup offshore shell companies to facilitate the hiding and protecting of assets. Much of which was illegal or unethical. In 2016 their website was hacked, their mail server compromised and 11.5 million documents were leaked.

The result was staggering. It included 12 current or former world leaders and 128 public officials and politicians and included the Icelandic prime minister Sigmundur Gunnlaugsson and the British prime minister David Cameron. It was an unveiling of the dirty money scandals on a scale unknown.

But the mistake that they made was obvious and avoidable. They ran their email through the same server they used for hosting their website.

Why is this a problem?

There is a whole raft of reasons why it is a bad idea to do this and I’ll go into each in detail. But the main jist of the issue is that websites are low value / high risk environments whilst emails are high value / low risk environments.

What do I mean by websites being low value?

It might seem strange that a website developer labels his work as low value. But in business terms websites are low value. Even if they are the primary sales / marketing platform for a business an outage is unlikely to be business critical. Most websites carry very little sensitive information. Most are just marketing and comms platforms used to communicate with the public. Even online stores that take card payments don’t store credit card details, but rather store tokens that can be used to verify to a 3^rd party payment gateway that the site has the right to ask the gateway to process the payment. The actual card information and money are stored on the secure 3^rd party payment gateway. The greatest risk is that they will be able to access the client and order database. A GDPR issue certainly and a minor disaster but hardly high value information. Not a promising target for a hacker.

So why would a hacker hack a website?

The primary goal of most website hacks is to build the hacker a network of servers that they can remotely control to use as proxies on a more valuable hack. High value targets like banks and emails have firewalls that limit the number of requests that a single IP address can make in a set period of time. If the number of requests made is unreasonably high then they will block that server. But if a hacker has access to 10,000 proxy servers, they get 10,000 times more attempts before being shut down.

Or they could use the website server to send spam for other fraudulent attempts. Or they could put malware on the site that then installs itself on the visitor’s computer.

However, the second two are likely to be detected very quickly. The internet is a network of servers that have trust relationships. If a server starts shooting out spam, then other servers will quickly blacklist it and it’s IP address is essentially blocked by the rest of the internet. This would be the kiss of death for a hosting company and thus they monitor their servers closely and if one starts sending out spam they will shut down the offending server in a matter of minutes.

Likewise, if malware is found on the server it will likely be picked up very quickly. If the sites own malware scan finds it first it will email all site admins. If Google finds it first then webmaster tools will notify the site admin by email. If the hosting company finds it first then they will shut the site down and notify their client. If a user finds it first then they will likely report it to the business, and once the business knows they will be on the phone to the web developer. It will likely be a matter of only hours between the hack and the developer being aware of the issue.

And we have lots of tools on hand to deal with it. In most cases hacks can be fixed within five minutes. We will clone the server. Roll the live site back to a stable backup prior to the hack. Diagnose the issue on the clone. Find the security flaw. Patch it. Then do a sitewide purge of security credentials. Then monitor the site.

Embarrassing certainly but not business critical. Worst case scenario is that you are an online store and your clients’ names and addresses are now public and you have to apologise. But since their names and addresses are likely public information anyway its not likely to do any damage to anyone.

Why are mail servers high value?

Your mail server saves every communication your business has made. Every invoice. Every email. Confidential communications. Doctors to patients. Business deals. Strategy plans. Purchasing plans. Negotiations. Financial documents. Internal disputes. Personal emails. Your diary. Your phone book. Bank details. Passwords. The ability to password reset and access 3^rd party sites. So now your banking website. Your website. The ability to buy things on accounts you use on shops you use. They can close your account. Purge QuickBooks of years of your accounts. If you have a company smartphone plan they can now access your phone. But not only can they read your emails but they can also send them. They can email invoices from you to your clients with their bank details and then set a filter to hide the replies from you. They could just watch you. And if they don’t act overtly you wouldn’t know. They could blackmail you. They could steal money from you. They could blackmail your clients. They could sell your data to your competition. There are all sorts of ways that they can make large personal cash profit from the hack. The motivation is there for them to make some real effort.

So why are websites high risk?

Websites are very complicated systems. Complicated systems are vulnerable systems. They are not individual pieces of software but amalgamations of software from many sources. Each of these sources brings with it risk. A single website will be dependent on many external resources. The fonts. Icons. Contact forms. Google Analytics. JavaScript. PHP. Mailchimp. Bootstrap. The list of dependencies goes on and on. And that’s before you even get to plugins.  Plugins are independent bits of software that can be easily installed to extend a site’s functions and which are empowering but which can be a world of problems.

We expect a website we build to have approximately 12,000 individual files. If there is a single line of malicious code or human error in any of those files then the site can be hacked. And that code does not stay stationary. All these bits of software get updated frequently. Each update carries new risks and new unknown unkowns.

Websites are high risk because their complexity present copious opportunities for attackers.

Why are mail servers’ low risk?

Mail servers are much more secure platforms. The self-hosted versions are simple and barely change from year to year. The commercial business comms platforms are managed by large corporations with massive budgets and teams of specialists dedicated to maintaining security. There are much fewer opportunities for attack and much more effort put into protection.

What happens if I use the same server for both?

Essentially what happens is you get the high likelihood of a successful hack associated with a website server combined with the high value of damage caused by a mail server hack. A hacker can get into the site and then move around the server to the mail server and then access your emails. That is what happened to Mossack Fonesca. They installed Revolution Slider on their WordPress, it was very out of date, the hacker got in via Revolution Slider and then moved to their mail server.

But wait it gets worse

Your mail and website setup are public information. Hackers write bots that look for businesses whose mail server is the same as their website server. Simply having the same IP address on both will put you on a hackers ‘potentially lucrative target’ shortlist.

The internet can see what software and what versions you are running. It is very unlikely that an attack against you will be planned and executed by a human. It is much more likely that a hacker will know of a certain vulnerability in a certain version of a certain bit of software then create a spider that crawls the web looking for sites that run that version of that software. They might also program the spider to execute a planned attack and exploit. If your domain is on both the ‘potentially lucrative target’ and ‘has known vulnerability’ lists its only a matter of time before you come under attack.

Your emails keep going to your clients’ spam folder?

Spam issues are less scary than hacks but also damaging to a business. If you are hosting your own mail server then you are responsible for your mail sender score. This is a score aggregated from hundreds of variables that indicate how spam like you are. All emails have some spam markers and all recipient mail servers have different thresholds.  There are no absolutes guarantees that your mail will not go into the recipient’s spam filter. But if your mail server is seen to be trusted and healthy and your individual mail does not have spam like features then it will likely arrive in the desired recipient’s inbox as desired.

And that’s all well and good until suddenly it starts going to spam. If you end up with a negative server score all your emails will go into spam. There are many ways to get a negative sender score and many of them will be of no fault of yours and can happen out of the blue. If your website server starts sending spam you will get blacklisted. And keep in mind that many servers host hundreds or even thousands of websites and that it may not be your own site that is the issue but that of a business you have never heard of. Because their site is hacked, your emails are no longer trusted. And it isn’t always just the hosting server.

You likely have an SSL certificate. Essentially an SSL is a trusted server saying that you are trustworthy, and they in turn will have another even more trusted server saying they are trustworthy and so on until you get to a circle of the major players in online security from whom trust flows. Every now and again these trusted servers stop trusting each other and everything downstream stops being trusted. How much of a risk that is and how long it takes to fix really depends on how far down the chain you are. If you using your own server or a budget hosting company, they will likely see it as not their problem and leave it to you to workout and fix. If you are using servers run by Microsoft and Google you are likely so far up the trust chain that this is unlikely to ever be an issue or if it is it will likely be resolved by them in an hour or so without you ever knowing.

Or maybe you have a bad sender score because it is a new server and you don’t send enough emails for the other servers to have learned to trust you.

The consequences of this are also dire for business. On the morning of writing this article I had a call from a client who runs a commercial electrical service. They were losing work because their quote proposals were going into spam and were then they were struck off the potential supplier shortlist because they had missed the deadline. When they called to follow up their proposals were found in spam but the damage had been done. Another company had been assigned the work. On such small things a business can fail.

In conclusion

We recommend that our clients use either Microsoft Office 365 or Google Workspace. At the time I write this they cost £3.80 and £4.60 per user per month respectively. To avoid all the pitfalls listed above that is a negligible cost. Hosting your own emails is just not worth it.