Who uses my GWIA to send SPAM mails ?

In  most cases what your GroupWise system does is not considered by the system as sending SPAM mails because a hacker typically got credentials of some user from your GroupWise system. Hackers often run a batch file with a long list of "typical" account names and try to connect to your GWIA via the POP3 protocol. A "typical" account name can be any like test, testuser, webmaster, imap or any other.

Once the hackers see that your GWIA accepted certain login request, in a next step they keep on trying to login with this name using some "typical" passwords till they get lucky and can authenticate. 

Other accounts can be hacked, for instance, when your users virus on their computers and the hacker got his password when they typed it. 

The hackers then can legally send mails from your system like any of your users who use POP3 / IMAP4 clients, for instance. However, in most cases you will not see what hacked account name was used from your GroupWise system because they use some bogus email address instead as sender.

A typical SPAM sign in GWIA logs is that one sender (using some bogus email address) sends one or more mails to many Internet recipients. Or you get reported it from other sites that from your system comes a SPAM from a specific email address(s).

Now you want to know who sends these mails and what account is used. Here are steps that would help you to identify such attack from the information within GWIA and POA logs (Verbose logging mode):

 

1. Check GWIA log file and find the sender with reported email address that sends such SPAM mails. For instance you notice that someone sends SPAM mails using bogus@localhost email address. Find an instance of such mass mail sending

 

19:20:56 ED3F MSG 35270731 Processing inbound message: /<my_domain>/wpgate/gwia/receive/f03b0c15.417
19:20:56 ED3F MSG 35270731 Sender: bogus@localhost
19:20:56 ED3F MSG 35270731 Recipient: <internet_recipient_1>

19:20:56 ED3F MSG 35270731 Recipient: <internet_recipient_2>

19:20:56 ED3F MSG 35270731 Recipient: <internet_recipient_3>

 

and so on. What is here important to write down is the message ID string, in this example it is "35270731". Use any text editor and search for this message ID string prior this log line within this log file. There will be few lines above them therefore you need to find out the very first one which could look similarly like in this example:

 

19:20:46 F387 DMN: MSG 35270731 Accepted connection: [::ffff:<hacker_IP_address>] ()

 

In this line a "DMN"stands for a "daemon" which is a part of your GWIA which is responsible for receiving and sending mails from the Internet. This line tells you that your GWIA (daemon part) accepted a connection from the hacker`s computer - the IP address corresponds to the hacker`s computer used to send the SPAM mail through your GroupWise system - GWIA.

Prior hacker can send the SPAM mail to Internet recipients, he must authenticate with valid user credentials from your GroupWise system, otherwise his send request will be refused due to a "relay denied" configuration settings of the GWIA. This mail is considered as a relay attempt because neither a sender nor any of recipients are not from your GroupWise system.  

Search for a next line in the log for some login activity. This could look like:

 

19:20:47 F387 Successful login with client/server access: <your_PO_IP>:1677

 

This is very important information for you. Now you know which PO to look at to find hacked account - check what PO has assigned this IP address and C/S port in your GroupWise system using C1. Then look for log files of this PO from the same day / time that correspod to this line from your GWIA log file. You will certainly find similar successful C/S login activity in the POA log file but now also with the internal GroupWise account info. And this is the account you shall have a close look and change immediately his password which prevents the hacker from further sending SPAM mails.

 

If you want, you can investigate the rest of GWIA log file - still using the same message ID string to match all lines that belong to the same sending thread. You will see the the rest of log lines after successful C/S login which correspond to sending SPAM mail:

 

19:20:47 F387 DMN: MSG 35270731 Receiving file: /<my_domain>/wpgate/gwia/receive/f03b0c15.417       (the hacker sends a message file)

19:20:48 F387 DMN: MSG 35270731 SMTP session ended: [::ffff:<hacker_IP_Address>] ()       (the hacker disconnected from your GWIA)

 

From hacker`s IP address info recorded in the GWIA log file you can find out where this attack comes from. There are web sites in the Internet (IP address locators) which can help you to find out the hacker location. However, the hackers can easily fake their IP addresses and can frequently change them. Therefore endless hunting for such IP addresses associated with the SPAM attacks to include them into a block list on your GWIA, might not be the best choice to fight back those attacks. But certainly it is also one way to do it. More efficient way is to change a password of hacked account from your system and use more complex passwords then a simple "123". 

How can you assure that your users do not use simple passwords like "123" ? One of the examples is to set security on a PO to use LDAP authentication and then within eDir you can specify to use a bit more complex passwords which needs to be changed often. Plus, you can set intruder detection and limit a number of unsuccessful logins after which the account is locked and the hacker cannot endless try various passwords.