Hey Brett,
The webmail access was the first thing I thought of, but no one is
using that feature (google mail works much better...) and in fact
there are no attachments in the folders that I would expect to see in
that case.
I did a file scan looking for the "adding" phrase and it is not to be
found. I am sure IMS is adding this somewhere internally.
I separated the network from other machines and the spam kept showing
up. The last thing for me to verify is to place a packet sniffer on
the interface so I can make a cut plane of where this is coming from
for absolute sure.
I really have no clue how this is happening right now. In the
meantime I banned the server from receiving email from itself and
this helped immensely. The little spammy SOB is still floating
around, but not causing me major headaches at this point, so I can
now concentrate on figuring out what I have.
For the life of me I cannot come up with any way for this machine to
have become infected (but it happened...)
Steve
At 04:48 PM 1/23/2008, Brett Payne-Rhodes wrote:
Hi Steve,
I looked for "Adding From field to mail" in my SMTP log and didn't
find it. I realised then that it may be because I made a change to
my RCPT template to exclude emails with blank From addresses:
<cfif (len(smtpfrom) eq 0)>
customresponse="580 Sorry, we can no longer accept email
from null addresses"
result=unknownuser
<cfexit>
</cfif>
I think this actually goes against the standards which I believe
specify that we are required to accept email from null addresses so
you may need to make your own call on that.
As for how the email is getting to the server... Is it possible that
an attachment was opened on the server, via webmail perhaps, and
then somehow installed the virus/trojan on the server? Otherwise I'd
suspect another local machine.
Please let us know what you find out.
Cheers,
Brett
B)
Stephen Garrett wrote:
All, could some kind sole give me a place to look to fix this
problem? I am tearing my hair out...
Looks like in the last few days someone has found a hole in either
IMS, my setup or a spam program got installed on the server. I
suspect my setup, but am not sure where to look and could use a few
suggestions;
I've been running IMS for years without this problem happening.
(Win2kSP4, IMS2.7r2)
What appears to be happening is that IMS is receiving emails from
the same machine the mail server is on, authenticating and relaying
emails on. This is resulting in many thousands of emails that I
really do not want to be happening 8^{. I am seeing something like
the following in the SMTP log for each of these cases:
"Adding From field to mail"
I cannot find any reference to this string within my CFM modules so
this must be coming from IMS.
Sample from my log. mail.gpsnet.com is the mail server, operating
behind a firewall.
01/23/2008 12:16:33 PM [004] DEBUG: ->220 mail.gpsnet.com inFusion
Mail Server SOHO v2.7.7 (r2) SN21919099-7977 ESMTP ready at Wed, 23
Jan 2008 12:16:33 -0800
01/23/2008 12:16:33 PM [004] mail [192.168.1.16] Connected (5 total)
01/23/2008 12:16:33 PM [004] DEBUG: <-EHLO mail.gpsnet.com
01/23/2008 12:16:36 PM [004] *** Waiting 2 seconds on HELO connection
01/23/2008 12:16:36 PM [004] DEBUG: ->250-Pleased to meet you,
mail.gpsnet.com
01/23/2008 12:16:36 PM [004] DEBUG: ->250-AUTH CRAM-MD5 LOGIN
01/23/2008 12:16:36 PM [004] DEBUG: ->250-AUTH=LOGIN
01/23/2008 12:16:36 PM [004] DEBUG: ->250-XRCPTLIMIT 35
01/23/2008 12:16:36 PM [004] DEBUG: ->250 HELP
01/23/2008 12:16:37 PM [004] DEBUG: <-MAIL FROM:
<[EMAIL PROTECTED]>
01/23/2008 12:16:37 PM [004] DEBUG: ->250 OK
01/23/2008 12:16:37 PM [004] DEBUG: <-RCPT TO: <[EMAIL PROTECTED]>
01/23/2008 12:16:38 PM [004] DEBUG: ->250 OK
01/23/2008 12:16:38 PM [004] DEBUG: <-DATA
01/23/2008 12:16:38 PM [004] DEBUG: ->354 Send data now
01/23/2008 12:16:38 PM [004] Adding From field to mail
01/23/2008 12:16:39 PM [004] WARNING: ISE Error (10061): (Sock
Connect) [10061] Connection refused
01/23/2008 12:16:40 PM [004] DEBUG: ->250 Data received ok
01/23/2008 12:16:40 PM [004] RELAY
(d1aa11fca26b3d468677a7e9098624c5) mail [192.168.1.16]
<[EMAIL PROTECTED]> [EMAIL PROTECTED] 14920
01/23/2008 12:16:40 PM [004] DEBUG: <-QUIT
01/23/2008 12:16:40 PM [004] DEBUG: ->221 Goodbye, mail.gpsnet.com
01/23/2008 12:16:40 PM [004] mail [192.168.1.16] Disconnected (5 total)
Thoughts anyone?
Steve
--
==^=======================================================
This list server is Powered by iMS "The Swiss Army Knife of Mail Servers"
--------------------------------------------------------------------------------------
This list is provided as a free service. Although we will try to address issues
in a timely manner, support via this list is not guaranteed. If you require
expedited
support then a support contract is required. Support may be purchased from
http://www.coolfusion.com/commerce. Details regarding support options may be
reviewed
at: http://www.coolfusion.com/SupportOptions.cfm
--------------------------------------------------------------------------------------
To leave this list please complete the form at
http://www.coolfusion.com/Support/
Need an iMS Developer license? Sign up for a free license here:
http://www.coolfusion.com/Developers/
List archives: http://www.coolfusion.com/cfbb/
Note: You are subscribed as archive_jab_org / [EMAIL PROTECTED]
==^=======================================================
