Jump to content

Recommended Posts

Posted

Hello guys,

We've a customer that has 180 licenses of ESET Secure Business. They have ERA 6.5, EMS for Domino 6.5 and EES 6.5.

Some days ago the administrator noted that someone is sending a large amount of spam emails through their Domino server to different addresses ending in .it. Unfortunately the TI guy deleted the emails so we don't have the proof. What we have is the ESET Log Collector of Domino server, some screenshots of the spam message and also a Domino log indicating the emails being sent to multiple addresses that are unknown for the company. 

The customer asked us why EMS is not blocking the spam from being send using their mail server however we think that the real issue is that someone is sending spam through Domino.

Can be a infected workstation that is sending those spam? Can be a leaked mail credential that cyber criminals are using to send out spam?

Thank you.

emsl_logs.zip

LOG dia 22.txt

spam.png

spam error.png

  • Administrators
Posted

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ELC and ESVC logs from that machine for perusal.

Posted
12 minutes ago, Marcos said:

I'm not a Lotus Domino expert but I assume it generates some logs where you could trace from which IP addresses the spam was sent from. Then I'd gather ESET Log Collector and ESVC logs from that machine for perusal.

Thank you Marcos. So you think that a PC is infected and sending spam through the Domino server?

Posted (edited)

Today more spam were sent using Domino server.

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

31/08/2018 14:26:06   SMTP Server [1670:0035-10C0] Mail from infocloudclienti@telleria.cl rejected for policy reasons. Sender is denied in your configuration.

31/08/2018 14:26:06   SMTP Server: 192.168.233.87 connected

31/08/2018 14:26:06   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) disconnected. 0 message received

31/08/2018 14:26:09   SMTP Server: 180.113.10.37.baremetal.zare.com (37.10.113.180) connected

 

I think that maybe computer whose IP is 192.168.233.87 can be infected. We'll check. What do you think guys?

Edited by Lockbits
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...