The
log file below shows that you are in the middle of your garden variety
dictionary attack. You have several options to repel this...border router,
.acc file, etc, but this doesn't explain your original post about webmail
crashing your smtp. Can you also provide logs from your web log
files...?
Jason
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Timothy Hunold-Cre8ive guy
Sent: Monday, February 17, 2003 12:09 AM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] imail, meltdown
Importance: Highhttp://www.eeye.com/html/Research/Advisories/AD20000817.html, still works, why?I myself know of about 15 exploits for imail, and have insulated myself, by locking down all but a few selected tcp, udp ports.smtp relay is closed, smtp is disabled at both the imail AND winnt services level. now why does it restart everytime the crashimail (seen above) exploit is used on me? why is it the only way to disable smtp in imail is by stopping all the services and renaming it? After I figured the deletion of smtp would hinder my ability to actually use the server i would need to reactivate it.mind you my spool directory was now 2 gb and nearly 500k files... have you ever tried to delete that many files in Win2k? you can't, you can't delete the directory, you need to del *.* and wait 12, yes TWELVE HOURS to clean it up. isplcln dies after 2 minutes in that directory. (dual xeon 2ghz, 4gb ram)imail 7.14 logs: (mind you none of those ports are live) this is today, i have the ONLY account on the box that is active, so why the long logfiles?02:15 03:52 SMTPD(005000F2) [61.30.68.50] EHLO up-xp
02:15 03:52 SMTPD(005000F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:52 SMTPD(005000F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:53 SMTPD(005100F2) [66.238.42.209] connect 61.30.74.3 port 4714
02:15 03:53 SMTPD(005100F2) [61.30.74.3] EHLO down-me
02:15 03:53 SMTPD(005100F2) [61.30.74.3] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:53 SMTPD(005100F2) [61.30.74.3] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005200F2) [66.238.42.209] connect 61.64.100.8 port 2297
02:15 03:54 SMTPD(005200F2) [61.64.100.8] EHLO mark-hr442moy15
02:15 03:54 SMTPD(005200F2) [61.64.100.8] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005200F2) [61.64.100.8] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
02:15 03:54 SMTPD(005300F2) [66.238.42.209] connect 61.30.68.50 port 3195
02:15 03:54 SMTPD(005300F2) [61.30.68.50] EHLO up-xp
02:15 03:54 SMTPD(005300F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]>
02:15 03:54 SMTPD(005300F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]02:16 02:56 SMTPD(023900F2) [61.30.74.217] EHLO up-xp
02:16 02:56 SMTPD(023900F2) [61.30.74.217] MAIL FROM:<[EMAIL PROTECTED]>
02:16 02:56 SMTPD(023900F2) [61.30.74.217] RCPT TO:<[EMAIL PROTECTED]>
