Lockbits 11 Posted August 30, 2018 Posted August 30, 2018 Hello guys, We've a customer that has 180 licenses of ESET Secure Business. They have ERA 6.5, EMS for Domino 6.5 and EES 6.5. Some days ago the administrator noted that someone is sending a large amount of spam emails through their Domino server to different addresses ending in .it. Unfortunately the TI guy deleted the emails so we don't have the proof. What we have is the ESET Log Collector of Domino server, some screenshots of the spam message and also a Domino log indicating the emails being sent to multiple addresses that are unknown for the company. The customer asked us why EMS is not blocking the spam from being send using their mail server however we think that the real issue is that someone is sending spam through Domino. Can be a infected workstation that is sending those spam? Can be a leaked mail credential that cyber criminals are using to send out spam? Thank you. emsl_logs.zip LOG dia 22.txt
Administrators Marcos 5,468 Posted August 30, 2018 Administrators Posted August 30, 2018 I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ELC and ESVC logs from that machine for perusal.
Lockbits 11 Posted August 30, 2018 Author Posted August 30, 2018 12 minutes ago, Marcos said: I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ESET Log Collector and ESVC logs from that machine for perusal. Thank you Marcos. So you think that a PC is infected and sending spam through the Domino server?
Lockbits 11 Posted August 31, 2018 Author Posted August 31, 2018 (edited) Today more spam were sent using Domino server. 31/08/2018 14:26:06 SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected 31/08/2018 14:26:06 SMTP Server [1670:0035-10C0] Mail from infocloudclienti@telleria.cl rejected for policy reasons. Sender is denied in your configuration. 31/08/2018 14:26:06 SMTP Server: 192.168.233.87 connected 31/08/2018 14:26:06 SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) disconnected. 0 message received 31/08/2018 14:26:09 SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected I think that maybe computer whose IP is 192.168.233.87 can be infected. We'll check. What do you think guys? Edited August 31, 2018 by Lockbits
Recommended Posts