Jump to content

Archived

This topic is now archived and is closed to further replies.

Lockbits

EMS for Domino: someone is sending SPAM

Recommended Posts

Hello guys,

We've a customer that has 180 licenses of ESET Secure Business. They have ERA 6.5, EMS for Domino 6.5 and EES 6.5.

Some days ago the administrator noted that someone is sending a large amount of spam emails through their Domino server to different addresses ending in .it. Unfortunately the TI guy deleted the emails so we don't have the proof. What we have is the ESET Log Collector of Domino server, some screenshots of the spam message and also a Domino log indicating the emails being sent to multiple addresses that are unknown for the company. 

The customer asked us why EMS is not blocking the spam from being send using their mail server however we think that the real issue is that someone is sending spam through Domino.

Can be a infected workstation that is sending those spam? Can be a leaked mail credential that cyber criminals are using to send out spam?

Thank you.

emsl_logs.zip

LOG dia 22.txt

spam.png

spam error.png

Share this post


Link to post
Share on other sites

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ELC and ESVC logs from that machine for perusal.

Share this post


Link to post
Share on other sites
12 minutes ago, Marcos said:

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ESET Log Collector and ESVC logs from that machine for perusal.

Thank you Marcos. So you think that a PC is infected and sending spam through the Domino server?

Share this post


Link to post
Share on other sites

Today more spam were sent using Domino server.

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

31/08/2018 14:26:06   SMTP Server [1670:0035-10C0] Mail from infocloudclienti@telleria.cl rejected for policy reasons. Sender is denied in your configuration.

31/08/2018 14:26:06   SMTP Server: 192.168.233.87 connected

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) disconnected. 0 message received

31/08/2018 14:26:09   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

 

I think that maybe computer whose IP is 192.168.233.87 can be infected. We'll check. What do you think guys?

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...