>Hello,
>
> I know this message is long, but I called Ipswitch Support twice on
> Wednesday about a problem I am having with my IMail Server and the phone
> support I have gotten has not addressed my issue here and I need all the
> help I can get right now. I am running 7.03 HF1 on NT4 Server with SP6a.
> I am only running IMail on this machine. No IIS or other server programs.
>
>
>
> We started seeing problems on Tuesday like everyone else, but we are
> running IMail on a server by itself... No IIS. I am seeing a lot of
> malformed header requests in the logs like the Code Red I & II virus does
> to IIS servers and -- this is the odd part -- some BRO*.tmp files in my
> spool directory that are most definitely being caused by people browsing
> WebMail. It is causing web messaging to crawl, but other than that I have
> not seen what everyone else seems to be seeing with the Nimda virus. No
> other characteristics of the Nimda virus at all. I honestly do not
> believe that we have been infected...
You don't have to be infected to be DoS'ed. The DoS is working in your
case, your service is impaired due to overwhelming number of incoming (DoS)
requests.
>Here is a snippet from the logs...
all nimda crap, afaics.
> This seems to be a problem specific to IMail's Web Messaging program
> not properly filtering out these malformed request.
hmm, if it's do-able, I'm not surprised web messaging isn't programmed from
a hyper-paranoid POV. So you must supply the paranoia.
> When Web Messaging is off, the server runs like a dream.
yes, of course.
> It is one thing to patch an IIS server with a patch from the product
> vendor, but I honestly don't have a clue as to what else I can do to stop
> this DoS attack from happening on my IMail box without implementing a
> firewall system for that server.
That's what you have to do for all your servers. you need some highly
flexible anti-abuse machine between your public servers and Internet, so
you have an opportunty to stop/reduce the DoS before it DoS's your client
service. IMGate does this for the SMTP service, eg, I installed an IMGate
for an KY IMail fella where IMGate is now rejecting 300K msgs/24 hours.
You need something like that for the HTTP/HTTPS service. Cisco has an
content-filtering approach they published this week for nimda. To show you
the magnitude of the pb, I read one msg where the Linux users had a routine
that read his http logs for readme.exe and admin.dll request, and created
dynamically a blocking rule for his ipchains firewall. His ruleset grew
to blocking 45,000 ip's!!
> I am seeing a ton of incoming traffic in our T1 logs so I know that it
> is coming in from the outside, but what I need to know is what can I do
> to make IMail filter out these requests? Help please�
You're learning the hard way what I've been saying for a long time, do NOT
put your mailbox server directly onto internet.
Len
http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
