There is a program called RegMon (form sysinternals I think) that you can run on the box and it will monitor what application makes registry changes. I have used this to pinpoint other things going on before. Since it isn't happening to me I cannot look into it here. I have a feeling you were maybe hacked somehow and there is something amiss.
Eric S ----- Original Message ----- From: "Mailing Lists" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 12:23 PM Subject: [IMail Forum] Possible Imail Hack?? > We found the weirdest thing on Imail Server today (running 8.05). > > We had some host admins complaining that they saw users in their domain > which were not recognized (i.e. they did not create these users). > > As more reports came in, we found a pattern.... users created were always > same .... postmaster (not alias but user), peter, mariselas and a couple > others. > > Looking into the registry, these illegal users all had just a registry > string called SMTPWIN with value of 20,20,524,350 > > No other strings values for the illegal users which is extremely weird (see > below). > > Even more curious, as we deleted these illegal users, they cropped up again > after a short while.... > > I called IPSWICTH this morning, and were not willing to look into it as > there wasnt enough information! Not the best answer I received especially > since it concerns security. I can understand that they dont know what and > where the issue is but you would expect them to want to investigate if there > is a hole some-where... so I guess I am at mercy of this list. > > There is a firewall in front of Imail server, allowing just port 80 for web > interface of imail, port 25, port for imap, port 110, and port for web > calendaring. > > There is AV on machine, it just does not scan user mailboxes and spool. Just > ran a virus scan and comes out clean. > > Any help or directions would be appreciated. > > Thanks > > PV > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > ter] > "SMTPWIN"="20,20,524,350" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > [EMAIL PROTECTED] > "SMTPWIN"="20,20,524,350" > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
