There's been a lot of controversy over how Hillary Clinton apparently used a mail server running in her Chappaqua, New York, home when she started her tenure as secretary of state. But if you want to know what she's using now, all you have to do is point your browser at it—you'll get a login page for Outlook Web access from a Microsoft Exchange 2010 server. And so will anyone who wants to brute-force guess her e-mail password or simply take the server down with a denial-of-service attack. (This is not a suggestion that you should.)
Clinton has probably changed her e-mail address since the scandal began—particularly since the hdr22 account she used has been widely published and has likely become a magnet for all sorts of unwanted messages. And the hosted Exchange server is certainly an upgrade from her original server configuration—Until October of 2010, based on historic DNS records viewed by Ars, Clinton's e-mail server was in fact at a static IP address provided by Optimum, a Cablevision subsidiary, that corresponded to the Clintons' Chappaqua address. The domain was registered on January 13, 2009, just days before Clinton's confirmation as secretary of state—but it did not gain a certificate for secure client connections until March. The current certificate for clintonemail.com was issued by GoDaddy in 2013 just as the original certificate was about to expire.
At some point shortly after the home server was dropped in 2010, the mail exchange record for clintonemail.com was moved to a hosted Exchange server. Currently, that server appears to be running out of a data center in Huntsville, Alabama. The server uses McAfee's MXLogic e-mail filtering service to screen for malware and spam (though it's not certain when the service was added).
[Update: Technical analysis of the network routing for mail.clintonemail.com places it somewhere on Internap's network, connected via one of the company's private network access points. That makes it difficult to resolve exactly where the server is. The server itself may be in a data center in Atlanta.]
There are a couple of potential hazards posed by the Clintons' hosted mail server. First, Outlook Web App is enabled, and that offers an avenue for attackers to attempt to brute-force their way into mail accounts by guessing passwords. Exchange server offers some policies to block these sorts of password attacks, but using them runs the risk of denying users access at all—all someone has to do to basically shut down a user's e-mail is enter bad passwords a few times to activate the lockout.
The other problem is that it's not certain just how well patched this Exchange 2010 server running on a Microsoft Windows Server instance really is. Based on server data, mail.clintonemail.com is running on an instance of Microsoft Windows Server 2008 with Internet Information Server 7.5, both of which have had numerous security vulnerabilities uncovered since this particular server was configured. On the bright side, since it's Windows, it wasn't vulnerable to Heartbleed or Shellshock.
reader comments
121