What do I say to customers about security?

I tried finding this in another thread but all I found is that messages are not encrypted at rest… but I imagine they are in transit bc SSL…

So, do you guys have any security features I can put on my sales page?

I’m confident I can say data is encrypted in transit. But do you guys have compliance with any security protocols or organizations?

Are there any vague but accurate ways to highlight any security layers in your secret sauce or internal procedures?

Like, do you have active spam-assassin filtering, monitored RBLs, ratelimiting etc? Any sort of features I can list?

If you could bullet point what you guys do - security wise, I would be super grateful. If there is a page that mentions this and I was too dumb to dig it up, a link is just as fine :slight_smile:

I’ve got our beta of your product up and our customers love it … mostly because Crossbox is just killer looking compared to cpanel webmail they are used to.

Looking forward to your reply. This is my first post so please go easy on me :wink:

It’s hard to talk about because MXroute was created and is primarily run by a system administrator. We’re not well known for our ability to wax poetic about these things, we’re better known for always showing up and handling things. On top of that, security is such a broad subject that could be worth hours of discussions on any one aspect. With that said, I’ll do my best to give somewhat of an overview of how we focus on security.

Most of our security is up to the customer. If they reuse passwords to insane degrees and prefer non-SSL ports, they’ll see compromised email accounts and insecure messaging in transit. If they encrypt their emails with something like GPG they can gain even more security, but again it’s a choice they make.

On the back-end, we feel that there’s no substitute for human administration. I myself am the primary admin of MXroute, it’s my baby. I’ve been around the block, I’ve been the one fixing all of the compromised websites at HostGator and auditing the systems for security at customer request. I’ve done the same at DigitalOcean. I eat, sleep, and breathe server administration and security. In a lot of ways, it’s me that I’m selling here at MXroute. I’m not bragging about my abilities, but I do know what I’m good at. Imagine that you’re hiring me to be your system administrator for your mail servers, for the prices that I’m charging. Because you literally are. Even when I sleep, all systems look for a variety of conditions and self-heal and/or wake me to address the issue immediately.

At every hour of every day I know who my top 15 senders are. If anyone jumps into a pattern that doesn’t match their typical behavior, a human (me) reviews the logs and reacts accordingly. I tweak things like brute force protection and IP blocks based on frequently updated attack lists from ISPs, as well as my own internal lists from daily audits. Just this last Saturday I proactively located an ISP sending viruses to our customers and reacted: https://twitter.com/MXroute/status/1279331129175179264

I don’t buy into clearly defined processes for security, and that’s because attackers don’t work within clearly defined processes either. To manage the security of an infrastructure like MXroute you need more than a certification and a course, you need real world experience in dealing with active attacks against a large infrastructure and the system administration skills to continually adapt your strategy to the events. Without that, you end up with holes that go unplugged and unnoticed for years (sorry to throw you under the bus, Yahoo). The downside is that it isn’t fancy, it doesn’t make a nice round seal to place on the front page, but the upside is that you’re hiring me for pennies and I’m working my tail off to protect you and let you know if anything happens that needs your attention.

So I guess if I were to say it in marketing terms, I’d say this price hires a full time system administrator to obsessively monitor your servers and react appropriately according to real-time events, with a deep history in the industry and Linux servers. For whatever price you put on your site, that’s something no one can buy for that price.

Hope that helps, sorry it wasn’t too specific. Happy to answer any more specific questions that may narrow my train of thought :slight_smile:

Edit: I could add that as an individual with access to all of these servers, I am required to follow some strict procedures by my own requirements that I place on myself. I cannot reuse passwords, every password must be unique. Every password must be rotated regularly. Keys must be treated like royalty and guarded to the highest degree. My computer systems each have separate functions, and not all of them contain passwords and keys to MXroute infrastructure (gaming laptop doesn’t, for example). I have to use 2FA anywhere I can. All computers with keys/passwords have disk encryption and are monitored 24/7 by live cameras that upload footage to cloud servers. My office security (cameras included) run on battery backup systems with LTE-backed connectivity in the case of a local outage. I’m extremely paranoid by choice, not because I think someone wants this stuff but because the one time anyone does I’ll be ready.