http://www.eeye.com/html/Research/Advisories/AD20000817.html,
still works, why?
I
myself know of about 15 exploits for imail, and have insulated myself, by
locking down all but a few selected tcp, udp ports.
smtp
relay is closed, smtp is disabled at both the imail AND winnt services
level. now why does it restart everytime the crashimail (seen
above) exploit is used on me? why is it the only way to disable smtp in imail is
by stopping all the services and renaming it? After I figured the deletion of smtp would hinder my
ability to actually use the server i would need to reactivate
it.
mind
you my spool directory was now 2 gb and nearly 500k files... have you ever tried
to delete that many files in Win2k? you can't, you can't delete the directory,
you need to del *.* and wait 12, yes TWELVE HOURS to clean it up. isplcln dies
after 2 minutes in that directory. (dual xeon 2ghz, 4gb ram)
imail
7.14 logs: (mind you none of those ports are live) this is today, i have the
ONLY account on the box that is active, so why the long
logfiles?
02:15
03:52 SMTPD(005000F2) [61.30.68.50] EHLO up-xp
02:15 03:52 SMTPD(005000F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:53 SMTPD(005100F2) [66.238.42.209] connect 61.30.74.3 port 4714
02:15 03:53 SMTPD(005100F2) [61.30.74.3] EHLO down-me
02:15 03:53 SMTPD(005100F2) [61.30.74.3] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005200F2) [66.238.42.209] connect 61.64.100.8 port 2297
02:15 03:54 SMTPD(005200F2) [61.64.100.8] EHLO mark-hr442moy15
02:15 03:54 SMTPD(005200F2) [61.64.100.8] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005300F2) [66.238.42.209] connect 61.30.68.50 port 3195
02:15 03:54 SMTPD(005300F2) [61.30.68.50] EHLO up-xp
02:15 03:54 SMTPD(005300F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:52 SMTPD(005000F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:53 SMTPD(005100F2) [66.238.42.209] connect 61.30.74.3 port 4714
02:15 03:53 SMTPD(005100F2) [61.30.74.3] EHLO down-me
02:15 03:53 SMTPD(005100F2) [61.30.74.3] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005200F2) [66.238.42.209] connect 61.64.100.8 port 2297
02:15 03:54 SMTPD(005200F2) [61.64.100.8] EHLO mark-hr442moy15
02:15 03:54 SMTPD(005200F2) [61.64.100.8] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005300F2) [66.238.42.209] connect 61.30.68.50 port 3195
02:15 03:54 SMTPD(005300F2) [61.30.68.50] EHLO up-xp
02:15 03:54 SMTPD(005300F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:16
02:56 SMTPD(023900F2) [61.30.74.217] EHLO up-xp
02:16 02:56 SMTPD(023900F2) [61.30.74.217] MAIL FROM:<[EMAIL PROTECTED]>
02:16 02:56 SMTPD(023900F2) [61.30.74.217] RCPT TO:<[EMAIL PROTECTED]>
02:16 02:56 SMTPD(023900F2) [61.30.74.217] MAIL FROM:<[EMAIL PROTECTED]>
02:16 02:56 SMTPD(023900F2) [61.30.74.217] RCPT TO:<[EMAIL PROTECTED]>
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Newland
Sent: Sunday, February 16, 2003 9:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] imail, meltdown capital of the webTimothy,With the level of detailed information/log information that you have provided us in your "big troubles", it is no doubt that Ipswitch is unable to help you. You might get a little more help here if you a.) Wouldn't slam the product developer. b.) Would provide details of your woes so that we may be of assistance. Please include web log / smtp log snippets of said "attack",Regards,Jason-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Timothy Hunold-Cre8ive guy
Sent: Sunday, February 16, 2003 11:31 PM
To: [EMAIL PROTECTED]
Subject: [IMail Forum] imail, meltdown capital of the webI am having trouble wth a spammer, my webmail keeps crashing, big trouble for me.I deactivate smtp, even rename the files and all he does is kill imail webmessaging everytime.now as crappy as imail support is, is anyone else experiencing similar troubles?any resolutions?
