At some point shortly after the home server was dropped in 2010, the mail exchange record for clintonemail.com was moved to a hosted Exchange server running out of a data center in Huntsville, Alabama. The server uses McAfee’s MXLogic e-mail filtering service to screen for malware and spam (though it’s not certain when the service was added).

There are a couple of potential hazards posed by the Clintons’ hosted mail server. First, Outlook Web App is enabled, and that offers an avenue for attackers to attempt to brute-force their way into mail accounts by guessing passwords. Exchange server offers some policies to block these sorts of password attacks, but using them runs the risk of denying users access at all—all someone has to do to basically shut down a user’s e-mail is enter bad passwords a few times to activate the lockout.

The other problem is that it’s not certain just how well patched this Exchange 2010 server running on a Microsoft Windows Server instance really is. Based on server data, mail.clintonemail.com is running on an instance of Microsoft Windows Server 2008 with Internet Information Server 7.5, both of which have had numerous security vulnerabilities uncovered since this particular server was configured. On the bright side, since it’s Windows, it wasn’t vulnerable to Heartbleed or Shellshock.