There are several ids for some groups using, for example: M13.id is used by the M13 group. These days, I found that someone attempted to access all people's mail by M13.id recorded in the server log. Of course, he couldn't because of ACL. But if there is something wrong in the ACL of someone's mail database, he will access the mail.
Is there a way to find who attempt to mail? (I guess that the user runs programs to do this, because he can attempt to access a lot of mails in one second.)
Let me make sure I understand what you are saying... Someone using the ID file named M13.id ran a program that tried to read many mail files within one second. All of these attempts failed (except maybe M13's mailfile) because the mailfile ACL prevented access. You want to find out who tried to do this. Assuming this is correct, here is my answer...
The only way I can think to find out the person is by checking the IP address that the attempts came from and matching this IP address to a specific location. This requires you to know two things:
1) What IP address were they using?
2) Where is the computer with this IP address?
Let's look at #1 first... If the hacker is coming in from a Web browser (using Domino as a web server) then the log file DOMLOG.NSF records the IP address of every web access, so you are all set. If the user is coming in from a Notes client over a local area network, the standard log file LOG.NSF does not record the IP address of every access. (If someone knows how to do this, please let me know.) You may need to use a separate network analyzer and tell it to keep a log of all network traffic on TCP/IP port 1352 (the Notes port).
Now let's look at #2.... If the hacker was using a computer at your company, this is fairly easy. All of your machines probably have static IP address and you should have a network map of the IP address for each office. If the hacker is outside the company, you will have a hard time finding them based on their IP address. This is not impossible though, since the Internet Assigned Number Authority knows who has which IP addresses. (www.iana.org) If the hacker is breaking the law, I believe the police can get information from IANA about where the hacker is located.
This was first published in January 2002