Ipswitch has been working on the issue since u brought it up. Have a look @ Eric's email address :)
Bryan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mailing Lists Sent: Thursday, May 20, 2004 3:15 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Possible Imail Hack?? Hi Eric, yeah I already checked that, only one imail1.exe is on server where it should be (root of Imail install). File size is 196.608 bytes, created September 7 2003 and modified December 17th 2003. Maybe some sort of hack that creates a user accounts so spammers can relay, we're going through all our smtp logs to see if any of these accounts have sent mail. BTW, Ipswitch is now working on the issue. PV ----- Original Message ----- From: "Eric Shanbrom (Ipswitch)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 6:28 PM Subject: Re: [IMail Forum] Possible Imail Hack?? > What is the size and modified date of the imail1.exe on that machine. Also > make sure there is only one there > > Eric S > ----- Original Message ----- > From: "Mailing Lists" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, May 20, 2004 2:02 PM > Subject: Re: [IMail Forum] Possible Imail Hack?? > > > > Ok, > > > > I think I found the process that creates the value, it looks like > imail1.exe > > is the one creating the registry entry (see below output from RegMon). > > > > > > > > > > 5083182 271.60988441 IMail1.exe:1392 CreateKey > > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS > > Access: 0x2000000 > > 5083183 271.61018287 IMail1.exe:1392 SetValue > > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN > > SUCCESS "20,20,524,350" > > > > PV > > > > > > > > > > ----- Original Message ----- > > From: "Eric Shanbrom [Ipswitch]" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, May 20, 2004 1:12 PM > > Subject: Re: [IMail Forum] Possible Imail Hack?? > > > > > > > There is a program called RegMon (form sysinternals I think) that you > can > > > run on the box and it will monitor what application makes registry > > changes. > > > I have used this to pinpoint other things going on before. Since it > isn't > > > happening to me I cannot look into it here. I have a feeling you were > > maybe > > > hacked somehow and there is something amiss. > > > > > > Eric S > > > ----- Original Message ----- > > > From: "Mailing Lists" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, May 20, 2004 12:23 PM > > > Subject: [IMail Forum] Possible Imail Hack?? > > > > > > > > > > We found the weirdest thing on Imail Server today (running 8.05). > > > > > > > > We had some host admins complaining that they saw users in their > domain > > > > which were not recognized (i.e. they did not create these users). > > > > > > > > As more reports came in, we found a pattern.... users created were > > always > > > > same .... postmaster (not alias but user), peter, mariselas and a > couple > > > > others. > > > > > > > > Looking into the registry, these illegal users all had just a registry > > > > string called SMTPWIN with value of 20,20,524,350 > > > > > > > > No other strings values for the illegal users which is extremely weird > > > (see > > > > below). > > > > > > > > Even more curious, as we deleted these illegal users, they cropped up > > > again > > > > after a short while.... > > > > > > > > I called IPSWICTH this morning, and were not willing to look into it > as > > > > there wasnt enough information! Not the best answer I received > > especially > > > > since it concerns security. I can understand that they dont know what > > and > > > > where the issue is but you would expect them to want to investigate if > > > there > > > > is a hole some-where... so I guess I am at mercy of this list. > > > > > > > > There is a firewall in front of Imail server, allowing just port 80 > for > > > web > > > > interface of imail, port 25, port for imap, port 110, and port for web > > > > calendaring. > > > > > > > > There is AV on machine, it just does not scan user mailboxes and > spool. > > > Just > > > > ran a virus scan and comes out clean. > > > > > > > > Any help or directions would be appreciated. > > > > > > > > Thanks > > > > > > > > PV > > > > > > > > > > > > > > > > > > > > > > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > > > > ter] > > > > "SMTPWIN"="20,20,524,350" > > > > > > > > > > > > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas > > > > [EMAIL PROTECTED] > > > > "SMTPWIN"="20,20,524,350" > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > > List Archive: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
