Highlighted
Respected Contributor.
Respected Contributor.
247 views

Who is sending through my GWIA?

Jump to solution

GW2014.0.2-120664 running on SLES 11.3

Noticed some suspicious activity in my GWIA logs:

23:43:47 295F MSG 4024405  Command:  eoi.mc
23:43:47 295F MSG 4024405  Response: 220 mtaipromx.mail.monaco.mc ESMTP
23:43:47 295F MSG 4024405  Command:  EHLO  XXXX.XXXX.com
23:43:47 295F MSG 4024405  Response: 250 ok
23:43:47 295F MSG 4024405  Command:  MAIL FROM:<ljakobsen@ddtid.dk>
23:43:47 295F MSG 4024405  Response: 553 #5.1.8 Domain of sender address <ljakobsen@ddtid.dk> does not exist

This repeats every sixty-seconds, attempting delivery to different email servers each time. The account (<ljakobsen@ddtid.dk>) is not a legitimate user on our system.  Looks to me like a bot has discovered my GWIA and is using it to relay. My GWIA requires authentication, but I cannot tell from the log which account is being used to send.

Does anyone have any advice on how I might find that information?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: Who is sending through my GWIA?

Jump to solution

You need to set your logs to verbose, and then correlate the GWIA and the POA logs. The POA logs will tell you which user has been compromised.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de

View solution in original post

0 Likes
2 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Who is sending through my GWIA?

Jump to solution

You need to set your logs to verbose, and then correlate the GWIA and the POA logs. The POA logs will tell you which user has been compromised.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Who is sending through my GWIA?

Jump to solution

Here's what that evidence looks like. From the GWIA log:

05:09:58 98C7 DMN: MSG 4059124 Accepted connection: [XXX.XXX.XXX.XXX] (device.domain.tld)

And now from the corresponding POA log:

05:09:45 95B1 C/S Login GWIA/Imap  ::GW Id=USERNAME :: XXX.XXX.XXX.XXX [ADDRESS OF AUTHENTICATING PO]

Contacted the user to assist in changing the password. No problems since.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.