[ngw] GroupWise 2012 sp4 SOAP and the html attachment chronicles

Thys de Beer Thys at nwpg.gov.za
Wed May 17 13:59:15 UTC 2017

HI All,
Please don't shoot time for still being on gw2012...
Ok so... this was logged at nts as well, and we came to the conclusion that users password has been compromised, and phishing guys are using their emails addresses and password this i cant really deny because when users run the script they provided their emails and passwords, and then used send thousands of emails from our system, and that they are using webacc to gain this access, as i do not have po access outside the firewall, my GWIA's is also behind a firewall, behind spamtitan mail relays, so the only "things" accessible for users to groupwise from outside is webaccess and mobility .. checked the users in question are not all on mobility .. so that is ruled out .. then checked my webacc admin console .. these users sending these emails are not logged into webacc. These emails are coming via the po, to gwia to spamtitan, i can even see these infected message in retain where it has been archived.... my gwia in the inside are locked down, PC's/devices cannot connect smtp to it, ONLY a very few servers and the spamtitan relays .. so users cannot access GW via GWIA. .. 
So what is left?.... is there  a script/virus/malware, that connect to the PO directly as the user?.. but that is not possible right?... maybe these days with SOAP?.. that is my ONLY and last explanation?.... or anybody else seen this ..., and as soon as i block the one "proof of payment.html", not long after that their will be a "Proof_of_Payment.html" then "Proof_of_Payment(1).html" and so it goes on and on .. i am standing at 15 variants of tssi html file now .. yes there is something on the network/pc's... but i just want it out of GroupWise .. how in the world does it get in? nothing is suppose to get in right ... and if i could see all these connections on the webaccess the explanation would have been easy..and i would have blocked those IP's .. but nothing, not even webacc connectiosn form internal IP on webaccess that can account for this .. it really really seems it is coming from the users desktops internally .. BUT HOW .. and yes TrendMicro on the desktop does not pick anything up ..sophos for instance would pickup some stuff BUT not that i can see that can "access GW"?..
And the thing is these html files, the javascript in it does not raise any flags
I have blocked ALL html and htm files since yesterday.. but that is not really feasible, plenty of legit emails are now blocked, and i have to check and release legit mails constantly .. no life for a GW admin .. feels like i am running lookout.... 
Kind Regards,

Thys de Beer
NWPG Office of the Premier
GITO: Infrastructure
Deputy Dir: Server Administration
018 388 3828
Novell -- CNE
Microsoft -- MCITP- Enterprise Administrator
Microsoft -- MCSE- Private Cloud
Vmware -- VCP5

"This e-mail and any files transmitted with it may contain information which is confidential, private or privilege in nature and it is for the sole use of the recipient to whom it is addressed. If you are not the intended recipient, you must immediately notify the sender via electronic mail and further refrain from reading, disseminating, distributing, copying or using this message or any of its transmitted files. Any views of this message and its transmitted files are those of the sender unless the sender specifically states such views to be those of the North-West Provincial Government. Though this message and its transmitted files have been swept for the presence of computer viruses, the North-West Provincial Government accepts no liability whatsoever for any loss, damage or expenses resulting directly or indirectly from the use or access of this message or any of its transmitted files." 

More information about the ngw mailing list