Is your LDAP running? Have you patched? That's how I was hacked... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mailing Lists Sent: Thursday, May 20, 2004 12:23 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] Possible Imail Hack??
We found the weirdest thing on Imail Server today (running 8.05). We had some host admins complaining that they saw users in their domain which were not recognized (i.e. they did not create these users). As more reports came in, we found a pattern.... users created were always same .... postmaster (not alias but user), peter, mariselas and a couple others. Looking into the registry, these illegal users all had just a registry string called SMTPWIN with value of 20,20,524,350 No other strings values for the illegal users which is extremely weird (see below). Even more curious, as we deleted these illegal users, they cropped up again after a short while.... I called IPSWICTH this morning, and were not willing to look into it as there wasnt enough information! Not the best answer I received especially since it concerns security. I can understand that they dont know what and where the issue is but you would expect them to want to investigate if there is a hole some-where... so I guess I am at mercy of this list. There is a firewall in front of Imail server, allowing just port 80 for web interface of imail, port 25, port for imap, port 110, and port for web calendaring. There is AV on machine, it just does not scan user mailboxes and spool. Just ran a virus scan and comes out clean. Any help or directions would be appreciated. Thanks PV [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas ter] "SMTPWIN"="20,20,524,350" [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmas [EMAIL PROTECTED] "SMTPWIN"="20,20,524,350" To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
