The problem still exists with IMail 8.15HF2 and the combination listed in this thread.
Windows 2000 Server IMail 8.15 HF2 Declude Virus Pro or Standard 1.82 F-Prot recip.eml (that sends out the sober notifications) The workaround has been to add "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 12, 2005 11:40 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: > Actually imail1.exe created several blank account in my system, > like t, te, tech, etc. these accounts show up in registry and > webmail admin page, but in Imail admin and real users folder, > there is no such accounts. > > In the registry, these forged accounts all have this record > SMTPWIN 20,20,524,350 > > looks very like the server is comprised, but as you can > see from the imail forum message below, someone use > Regmon and captured that it is Imail1.exe set this value. > > By the way, if anybody still under the Imail warranty or service > agreement, please contact IPSWITCH to solve it as soon as > possible. Last year, 6 months prior to my warranty expiry, I > raised this issue to IPswitch tech-support, they take quite a > few weeks to reply me 2 emails, but the problem did not solve > at all, at that time I did not bother them too much as the > problem was not severe. These days when the same problem > pop up again, I send them an email with the same ticket No., > tell them it's exactly the same issue, but they refuse to give > me any answer, because my warranty is expired now. > > As we can see from Imail forum list, from declude list, at least > 6-7 servers affected, and in IPSWITCH tech-support database, > there is no any record related to SMTPWIN, so I guess they still > has no idea what really happen to Imail. > > ================================== > http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html > Ok, > I think I found the process that creates the value, it looks like > imail1.exe > is the one creating the registry entry (see below output from RegMon). > 5083182 271.60988441 IMail1.exe:1392 CreateKey > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS > Access: 0x2000000 > 5083183 271.61018287 IMail1.exe:1392 SetValue > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN > SUCCESS "20,20,524,350" > PV > ======================================================= > > ----- Original Message ----- From: "Mike Wiegers" <[EMAIL PROTECTED]> > To: <Declude.Virus@declude.com> > Sent: Sunday, December 11, 2005 2:49 AM > Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > >> Brian, >> >> Did you have the SMTPWIN entry in your registry file with part of the >> From >> address that's used in your "recip.eml" file? >> >> Mike >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >> Sent: Saturday, December 10, 2005 10:17 AM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. >> >> Hi, Mike >> >> You are really helpful! >> I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours >> before, and the problem seems disapear! >> I'll keep monitor it and let you know the result. Once again, >> thank you ! >> >> Regards >> Brian >> >> ----- Original Message ----- From: "Mike Wiegers" <[EMAIL PROTECTED]> >> To: <Declude.Virus@declude.com> >> Sent: Saturday, December 10, 2005 1:49 AM >> Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. >> >> >>> What I think it might be is a combination of several things and here >>> are >>> some of the common things that I have with information gathered on the >>> different lists: >>> >>> Seems to of first started with IMail 8.x >>> Running Declude Pro, Virus (f-prot), Hijack 1.82 >>> Sober virus seems to trigger this event along with the recip.eml file >>> >>> IMail Client (Imail1.exe) will popup on the server with random >>> address in >>> the To and CC field of the client. It seems that the message that is >>> trying >>> to be sent out is the contents of the recip.eml that Declude uses. >>> >>> Will see the registry changes with the SMTPWIN entry under the >>> Users. It >>> seems that this entry is made if you use the IMail Client on the >>> server. >>> In >>> our case the entries added are part of the email address used in the >>> From >>> field of the recip.eml. >>> >>> The way we stopped this from happening was adding the >>> "SKIPIFVIRUSNAMEHAS >>> Sober" in the "recip.eml" file. >>> >>> I'm not sure why it happens on only certain servers, but that's what we >>> have >>> found. I haven't been convinced that the server was hacked. >>> Rebuilding the >>> servers may of corrected the problem, but still not sure the servers >>> are >>> being hacked. >>> >>> Does anyone have the same common items having this problem? >>> >>> Thanks, >>> Mike >>> >>> >>> >>> ________________________________ >>> >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >>> Sent: Friday, December 09, 2005 9:33 AM >>> To: Declude.Virus@declude.com >>> Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. >>> >>> >>> Maybe, but you check the maillist history, quite a few servers have the >>> same problem in the past 1.5 years. and the problem persists, if >>> there is >>> any virus or trojan, some antivirus program should can detect it now. >>> >>> I suspect this is a issue of imail webmail, that's why it bypass the >>> declude. >>> >>> >>> ----- Original Message ----- From: John T (Lists) >>> <mailto:[EMAIL PROTECTED]> >>> To: Declude.Virus@declude.com >>> Sent: Friday, December 09, 2005 4:15 PM >>> Subject: RE: [Declude.Virus] Stranger... >>> >>> >>> I do not think this is either an Imail or Declude issue, rather a >>> server security issue, or rather a comprise of server security. >>> >>> >>> >>> Sounds like you have some type of virus or Trojan on that server. >>> >>> >>> >>> John T >>> >>> eServices For You >>> >>> >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >>> Sent: Thursday, December 08, 2005 9:57 PM >>> To: Declude.Virus@declude.com >>> Subject: Re: [Declude.Virus] Stranger... >>> >>> >>> >>> Does any body find the answer of this problem? >>> >>> After 1.5 years, this problem still remain. >>> >>> and IPSWITCH never give me a clear answer about it. >>> >>> >>> >>> ----- Original Message ----- >>> From: serge <mailto:[EMAIL PROTECTED]> >>> >>> To: Declude.Virus@declude.com >>> >>> Sent: Tuesday, June 08, 2004 7:46 AM >>> >>> Subject: Re: [Declude.Virus] Stranger... >>> >>> >>> >>> i know imail1 is a command line mailer >>> >>> but how do i find what i causing the imail 1 window to be >>> open and filed with all these adresses ? >>> >>> see attached gif >>> >>> >>> >>> >>> >>> ----- Original Message ----- >>> From: Darin Cox <mailto:[EMAIL PROTECTED]> >>> >>> To: Declude.Virus@declude.com >>> >>> Sent: Monday, June 07, 2004 10:21 PM >>> >>> Subject: Re: [Declude.Virus] Stranger... >>> >>> >>> >>> Does this shed any light? >>> >>> >>> >>> http://support.ipswitch.com/kb/IM-19980119-DD10.htm >>> >>> >>> Darin. >>> >>> >>> >>> >>> >>> ----- Original Message ----- >>> From: Serge <mailto:[EMAIL PROTECTED]> >>> >>> To: Declude.Virus@declude.com >>> >>> Sent: Monday, June 07, 2004 3:55 PM >>> >>> Subject: [Declude.Virus] Stranger... >>> >>> >>> >>> hi all >>> >>> urgent help needed >>> >>> I have imail1 client window ("create mail message") >>> pop up on my server with all kind of real and strange addresses in >>> the TO: >>> and CC: Fields. >>> >>> The windows remains open on the server desktop. >>> >>> Is this a virus ? how can i identify the >>> service/virus/application causing this ? >>> >>> >>> >>> TIA >>> >>> >>> --- >>> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >>> >>> --- >>> This E-mail came from the Declude.Virus mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>> type "unsubscribe Declude.Virus". The archives can be found >>> at http://www.mail-archive.com. >>> >> >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> >> --- >> [This E-mail was scanned for viruses by Declude EVA www.declude.com] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
