I had an interesting situation last night, something I've not seen before: something - I'm assuming a virus/hack that the user downloaded off the 'Net - was able to use the GroupWise client to send out an alphabet phishing attack.

User called, complaining about getting tons of "undeliverable" emails back. I remoted into her PC and saw it happening: thousands of undeliverables, several Barracuda and other notifications of sending spams (dolts), and a few of people replying "WTF?" (dolts times two). As I was watching, I saw numerous items queuing in Work In Progress (with tildes as the Subject), and I also watched items growing in the Sent folder. This was apparently happening all weekend...

To stop it I shut down her PC, changed her GW password, and logged into her GW account on my PC; after a few minutes the situation stabilized and as of right now it seems to be resolved (other than random undeliverable messages, based on high-time-value retries). So, I'm confident it was something on her PC (which we've re-imaged).

I find this very interesting, because it's the first time I've seen it with GroupWise. I've seen it with Outlook, and I've seen situations where someone downloads a virus that turns their PC into an SMTP 'bot, but since we're behind a firewall and we block SMTP access to the outside world it has never been a problem. But I've never seen a GroupWise system compromised in this way.

I don't claim to understand the mechanics behind the protocols used in GroupWise clients, but I thought I'd pass along this information to see if anyone else has seen this, and/or if this is something we need to keep an eye out for.

For reference, according to my ServiceDesk tech, she was using "some form of GroupWise v7" and he upgraded her to the latest (I've got v8.0.2HP1 out there), and it continued to send email even after being upgraded.