This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Tony Prejumisteretsi
Feb 1, 2016, 2:42 PM
8 Posts

Notes Address Book Virus?

  • Category: Mail
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator,End User
  • Tags: virus,email,address book
  • Replies: 4

Hi All,

 

Needing to bounce something off of the community. 

I've never heard of a Notes address book virus, so I was quick to dismiss it as being the issue.  I've got one user with people calling him saying he is sending them spam.  Notably the receivers are receiving an email with the following format: (below link changed/modified for everyone's protection)

 

_____________________________

Dear <First Name Last Name>

New message, please read <http://webfactory123.webbandit.co.za/late.php?oy>

bill@myclientscompany.com

______________________________________________________________________

Facts:

  • The names in the CC field are all alphabetical as if it's pulling from an address book
  • Only about half of the names are found in that computer's Notes address book or in the recent contacts
  • All names ARE found however in the user's inbox, in rough alphabetical order when sorting the inbox by name.
  • Analyzing the email headers shows the email originated from a known spam server in Thailand, IP 125.26.159.150, ISP Tot, which is a known blacklisted source of spam
  • There are no Domino server email transactions around the time from our user to any of the emails that were  received by these victims, so I don't think it's coming from the server, and even if it had, I think our MXLogic Spam gateway would have caught it, which showed nothing in quarantine.
  • There  are no other outlook/webmail address books, or any other copy of address books...... only the Notes mail file and contact list, and Traveler on iPhone.
  • Malwarebybtes reports clean on notes user's computer.
  • AVG Cloudcare AV reports clean clean on notes user's computer.
  • Spam reports seem to occur at 15-ish day intervals.....  two cycles now..... one mass spam event on Jan 14 and the other on Jan 30.

 

My thinking....

  • I think something has grabbed a list of recipients from the notes user's inbox, and has transmitted that list to the spammer via trojan or virus, and then they are spoofing the Notes user's address from the Thailand spam server
  • Perhaps there is a SMTP virus on the notes user's computer (so far not detectable) that sending via the Thailand server

 

Questions:

  1. Has anyone heard of something like this affecting Notes?
  2. Does anyone have any ideas on how to go about finding and preventing it?  Obviously if the list is already in and originating from Thailand, there's nothing to do.

Thanks for any ideas

Shane

 

 

 

~Sigmund Umwemanoni
Feb 2, 2016, 12:33 AM
323 Posts
If you're not doing much out there, there's always blacklisting the server.

Often people export their contacts to other vulnerable email systems. That's the most obvious source.

How's that iPhone connecting & routing emails?

~Tony Prejumisteretsi
Feb 2, 2016, 3:14 PM
8 Posts
Notes Address Book Virus?

Mike, that's what I thought as well!  Figured someone has contacts on yahoo or something, but I'm assured from the customer has no other contact exports,  Additionally, some of the names in the spam mails are not in the address book but ARE in the inbox list of emails.....  So I think the inbox must actually be the source.

The iphone is sending email via the domino server via traveler....

 

I was wondering if someone had guessed the internet password for his account or had gathered the password via the non-SSL Notes-Domino connection...then the spammer might be connecting to the server via imap and spamming that way?

 

Thanks for your answer....

Shane

~Dana Refoobergli
Feb 9, 2016, 1:04 AM
2 Posts
Similar problem - seeking solution
Hi Shane,
I am having a similar issue.  One Domino user is compromised.  No sign of activity on the server but emails being received.  Recipients are either found in the user's address book or sent to a variation of that address.

Dates - first round was Jan 18, second was Feb 7th.

Only heard about it from some of the recipients or Delivery Failure Messages.  
We haven't received any in Domino mail boxes.

No solution as yet but I will post I find anything.

Regards,

Nicola
~Dana Refoobergli
Feb 29, 2016, 1:11 PM
2 Posts
Added an SPF to hostname
The account was spoofed and continues to be periodically.  We added an SPF to the hostname so only the Domino Servers (by IP) are designated to send mail on behalf of the domain.

We will see if this curtails the problem.

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal