----- Original Message ----- From: "Timothy Hunold-Cre8ive guy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 17, 2003 12:09 AM - SATCOM Subject: RE: [IMail Forum] imail, meltdown
Messagehttp://www.eeye.com/html/Research/Advisories/AD20000817.html, still works, why? Was fixed.. and I thought that was for version 6.x anyway... if you are sure you're haveing the same problem them reapply the patches. I myself know of about 15 exploits for imail, and have insulated myself, by locking down all but a few selected tcp, udp ports. good.... lockdown at the border router.. ipsec.. etc.. smtp relay is closed, smtp is disabled at both the imail AND winnt services level. now why does it restart everytime the crashimail (seen above) exploit is used on me? why is it the only way to disable smtp in imail is by stopping all the services and renaming it? After I figured the deletion of smtp would hinder my ability to actually use the server i would need to reactivate it. I'm guessing that windows is restarting the system automatically when all the resources are exhausted.. rather than just bsod and shutdown.. mind you my spool directory was now 2 gb and nearly 500k files... have you ever tried to delete that many files in Win2k? you can't, you can't delete the directory, you need to del *.* and wait 12, yes TWELVE HOURS to clean it up. isplcln dies after 2 minutes in that directory. (dual xeon 2ghz, 4gb ram) You could always use the RD command at a dos prompt ie: RD C:\IMAIL\SPOOL /S but that will wipe out your other directories/files below SPOOL too. Could backup the other folders and reinsert them after you recreate the SPOOL directory/folder though. imail 7.14 logs: (mind you none of those ports are live) this is today, i have the ONLY account on the box that is active, so why the long logfiles? 02:15 03:52 SMTPD(005000F2) [61.30.68.50] EHLO up-xp 02:15 03:52 SMTPD(005000F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]> 02:15 03:52 SMTPD(005000F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]> 02:15 03:52 SMTPD(005000F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED] 02:15 03:53 SMTPD(005100F2) [66.238.42.209] connect 61.30.74.3 port 4714 02:15 03:53 SMTPD(005100F2) [61.30.74.3] EHLO down-me 02:15 03:53 SMTPD(005100F2) [61.30.74.3] MAIL FROM:<[EMAIL PROTECTED]> 02:15 03:53 SMTPD(005100F2) [61.30.74.3] RCPT TO:<[EMAIL PROTECTED]> 02:15 03:53 SMTPD(005100F2) [61.30.74.3] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED] 02:15 03:54 SMTPD(005200F2) [66.238.42.209] connect 61.64.100.8 port 2297 02:15 03:54 SMTPD(005200F2) [61.64.100.8] EHLO mark-hr442moy15 02:15 03:54 SMTPD(005200F2) [61.64.100.8] MAIL FROM:<[EMAIL PROTECTED]> 02:15 03:54 SMTPD(005200F2) [61.64.100.8] RCPT TO:<[EMAIL PROTECTED]> 02:15 03:54 SMTPD(005200F2) [61.64.100.8] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED] 02:15 03:54 SMTPD(005300F2) [66.238.42.209] connect 61.30.68.50 port 3195 02:15 03:54 SMTPD(005300F2) [61.30.68.50] EHLO up-xp 02:15 03:54 SMTPD(005300F2) [61.30.68.50] MAIL FROM:<[EMAIL PROTECTED]> 02:15 03:54 SMTPD(005300F2) [61.30.68.50] RCPT TO:<[EMAIL PROTECTED]> 02:15 03:54 SMTPD(005300F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED] 02:16 02:56 SMTPD(023900F2) [61.30.74.217] EHLO up-xp 02:16 02:56 SMTPD(023900F2) [61.30.74.217] MAIL FROM:<[EMAIL PROTECTED]> 02:16 02:56 SMTPD(023900F2) [61.30.74.217] RCPT TO:<[EMAIL PROTECTED]> This looks like you are a relay.. visit: http://support.ipswitch.com/kb/IM-20021108-DM01.htm I don't believe the hackers have figured out how to post data to web messaging, yet, but anything is possible. I haven't confirmed via telnet to your server.. but the class 'c' you use has you listed in spews anyway. Also you should accept <> null senders.. ~Rick ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
