RE: [IMail Forum] SMTP Exploit Scanning Going on NOW

[Beach Computers]

Is there a way to do a global ban from [EMAIL PROTECTED]? The only way I know is to create a rule for each domain which can be a nightmare.       Dave =================================== Beach Computers Affordable Hosting Solutions http://www.beachcomp.com =================================== Cheap Domain Warehouse Get Your Own Dot! http://www.cheapdomainwarehouse.com   ------------------------------------ Disclaimer and confidentiality note: The contents of this communication are intended/meant only for addressee(s) and may contain information that is privileged or otherwise confidential. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. The contents of this e-mail shall not be forwarded to any third party. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email, so that the sender's address records can be corrected. Views and opinions are solely those of the sender unless clearly indicated as being that of Beach Computers or any of it's affiliated companies. Beach Computers cannot assure that the integrity of this communication has been maintained or that it is free of errors, virus, interception or interference.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike N Sent: Sunday, October 29, 2006 9:15 AM To: Imail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SMTP Exploit Scanning Going on NOW The fact that it crashes means that it could be exploited if someone gets a copy of 8.12 and determines offsets for your OS and Imail.  In the meantime, also try banning e-mail from the user [EMAIL PROTECTED] [ this might cause it to drop the connection before looking at the exploit.  Of course they can also have the FROM user to be anything in the future] .   ----- Original Message ----- From: Eddie Pang To: Imail_Forum@list.ipswitch.com Sent: Sunday, October 29, 2006 8:11 AM Subject: RE: [IMail Forum] SMTP Exploit Scanning Going on NOW Hi All,   Sorry I am running V8.12 and not 8.15 as previously reported.    I have compiled the exploit, and ran it against my server.  With version 8.12, I am not getting any of the injections as described (share, new user, port 4444 bind) .  However, after running the exploit all smtp will not respond to any connection request. You will have to manually stop/start SMTP to regain full function once again.   Here is the catch22.  You will need to enable Monitor Services if you wish to have SMTP auto restart should it hang.  This service in the past has created a bunch of networking issues for a few users..   Also, I am not seeing the same info as http://www.mail-archive.com/imail_forum%40list.ipswitch.com/msg108489.html .   My log looks like 10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] EHLO 10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] MAIL FROM <[EMAIL PROTECTED]> 10:29 02:43 SMTPD(a1dc000b002a1d33) [xxx.xxx.xxx.xxx] RCPT TO: <@qo: 10:29 02:44 SMTPD(0000000000000000) server starting on port 25 of student.chaminade.edu <<< AUTO RESTART OF SMTP via Monitor after SMTP fails to respond..   Display of Options from executable. ================================================= IMail 2006 and 8.x SMTP 'RCPT TO:' Stack Overflow Exploit Coded by Greg Linares < glinares.code  [at] GMAIL [dot] com > Usage: imailexploit [hostname] [port] <Payload> <JMP> Default port is 25   ============================== Payload Options: 1 = Default ============================== 1 = Share C:\ as 'Export' Share 2 = Add User 'Error' with Password 'Error' 3 = Win32 Bind CMD to Port 4444 4 = Change Administrator Password to '[EMAIL PROTECTED]' ============================== JMP Options: 1 = Default ============================== 1 = IMAIL 8.x SMTPDLL.DLL    [pop ebp, ret] 0x10036f71 2 = Win2003 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af 3 = Win2003 SP0 English USER32.DLL [pop ebp, ret] 0x77d02289 4 = WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 5 = WinXP SP1 - SP0 English USER32.DLL [pop ebp, ret] 0x71ab389c 6 = Win2000 Universal English USER32.DLL [pop ebp, ret] 0x75021397 7 = Win2000 Universal French USER32.DLL [pop ebp, ret] 0x74fa1397 8 = Windows XP SP1 - SP2 German USER32.DLL [pop ebp, ret] 0x77d18c14     Hope this provides some info, atleast to users of Version 8.12.   Eddie :)