Notes Address Book Virus?

HCL Domino Domino Forum
1

Hi All,

Needing to bounce something off of the community.

I’ve never heard of a Notes address book virus, so I was quick to dismiss it as being the issue. I’ve got one user with people calling him saying he is sending them spam. Notably the receivers are receiving an email with the following format: (below link changed/modified for everyone’s protection)

Dear

New message, please read http://webfactory123.webbandit.co.za/late.php?oy

bill@myclientscompany.com

Facts:

  • The names in the CC field are all alphabetical as if it’s pulling from an address book
  • Only about half of the names are found in that computer’s Notes address book or in the recent contacts
  • All names ARE found however in the user’s inbox, in rough alphabetical order when sorting the inbox by name.
  • Analyzing the email headers shows the email originated from a known spam server in Thailand, IP 125.26.159.150, ISP Tot, which is a known blacklisted source of spam
  • There are no Domino server email transactions around the time from our user to any of the emails that were received by these victims, so I don’t think it’s coming from the server, and even if it had, I think our MXLogic Spam gateway would have caught it, which showed nothing in quarantine.
  • There are no other outlook/webmail address books, or any other copy of address books… only the Notes mail file and contact list, and Traveler on iPhone.
  • Malwarebybtes reports clean on notes user’s computer.
  • AVG Cloudcare AV reports clean clean on notes user’s computer.
  • Spam reports seem to occur at 15-ish day intervals… two cycles now… one mass spam event on Jan 14 and the other on Jan 30.

My thinking…

  • I think something has grabbed a list of recipients from the notes user’s inbox, and has transmitted that list to the spammer via trojan or virus, and then they are spoofing the Notes user’s address from the Thailand spam server
  • Perhaps there is a SMTP virus on the notes user’s computer (so far not detectable) that sending via the Thailand server

Questions:

  • Has anyone heard of something like this affecting Notes?
  • Does anyone have any ideas on how to go about finding and preventing it? Obviously if the list is already in and originating from Thailand, there’s nothing to do.
    Thanks for any ideas

Shane

2

Subject: Notes Address Book Virus?

Mike, that’s what I thought as well! Figured someone has contacts on yahoo or something, but I’m assured from the customer has no other contact exports, Additionally, some of the names in the spam mails are not in the address book but ARE in the inbox list of emails… So I think the inbox must actually be the source.

The iphone is sending email via the domino server via traveler…

I was wondering if someone had guessed the internet password for his account or had gathered the password via the non-SSL Notes-Domino connection…then the spammer might be connecting to the server via imap and spamming that way?

Thanks for your answer…

Shane

3

Subject: If you’re not doing much out there, there’s always blacklisting the server.

Often people export their contacts to other vulnerable email systems. That’s the most obvious source.

How’s that iPhone connecting & routing emails?

4

Subject: Similar problem - seeking solution

Hi Shane,
I am having a similar issue. One Domino user is compromised. No sign of activity on the server but emails being received. Recipients are either found in the user’s address book or sent to a variation of that address.

Dates - first round was Jan 18, second was Feb 7th.

Only heard about it from some of the recipients or Delivery Failure Messages.
We haven’t received any in Domino mail boxes.

No solution as yet but I will post I find anything.

Regards,

Nicola

5

Subject: Added an SPF to hostname

The account was spoofed and continues to be periodically. We added an SPF to the hostname so only the Domino Servers (by IP) are designated to send mail on behalf of the domain.

We will see if this curtails the problem.