Jump to content

EMS for Domino: someone is sending SPAM

Lockbits
 Share

Recommended Posts

Lockbits

Lockbits 10

Posted
Posted

Hello guys,

We've a customer that has 180 licenses of ESET Secure Business. They have ERA 6.5, EMS for Domino 6.5 and EES 6.5.

Some days ago the administrator noted that someone is sending a large amount of spam emails through their Domino server to different addresses ending in .it. Unfortunately the TI guy deleted the emails so we don't have the proof. What we have is the ESET Log Collector of Domino server, some screenshots of the spam message and also a Domino log indicating the emails being sent to multiple addresses that are unknown for the company. 

The customer asked us why EMS is not blocking the spam from being send using their mail server however we think that the real issue is that someone is sending spam through Domino.

Can be a infected workstation that is sending those spam? Can be a leaked mail credential that cyber criminals are using to send out spam?

Thank you.

emsl_logs.zip

LOG dia 22.txt

spam.png

spam error.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ELC and ESVC logs from that machine for perusal.

Link to comment
Share on other sites
Lockbits

Lockbits 10

Posted
  • Author
Posted
12 minutes ago, Marcos said:

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ESET Log Collector and ESVC logs from that machine for perusal.

Thank you Marcos. So you think that a PC is infected and sending spam through the Domino server?

Link to comment
Share on other sites
Lockbits

Lockbits 10

Posted
  • Author
Posted (edited)

Today more spam were sent using Domino server.

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

31/08/2018 14:26:06   SMTP Server [1670:0035-10C0] Mail from infocloudclienti@telleria.cl rejected for policy reasons. Sender is denied in your configuration.

31/08/2018 14:26:06   SMTP Server: 192.168.233.87 connected

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) disconnected. 0 message received

31/08/2018 14:26:09   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

 

I think that maybe computer whose IP is 192.168.233.87 can be infected. We'll check. What do you think guys?

Edited by Lockbits
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...