Steve, This sounds similar to a problem I had but it did not involve IMS. My problem was with iMail. I had an unpatched version of iMail that had a vulnerability that was exploited. They installed some type of program that was doing just what you are describing. I could not figure it out until I scanned the WINNT and SYSTEM folders looking for files that had recently changed. It was easy to spot the virus files based on their date. The thing ran as an NT service. This happened about a year ago.
I patched my iMail and deleted the virus files and I have not had any more problems. John -----Original Message----- From: Stephen Garrett [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 7:36 PM To: inFusion Support List inFusion Support List Subject: Re: [iMS] Could use some pointers/help; IMS Spam sent internally? Hey Brett, The webmail access was the first thing I thought of, but no one is using that feature (google mail works much better...) and in fact there are no attachments in the folders that I would expect to see in that case. I did a file scan looking for the "adding" phrase and it is not to be found. I am sure IMS is adding this somewhere internally. I separated the network from other machines and the spam kept showing up. The last thing for me to verify is to place a packet sniffer on the interface so I can make a cut plane of where this is coming from for absolute sure. I really have no clue how this is happening right now. In the meantime I banned the server from receiving email from itself and this helped immensely. The little spammy SOB is still floating around, but not causing me major headaches at this point, so I can now concentrate on figuring out what I have. For the life of me I cannot come up with any way for this machine to have become infected (but it happened...) Steve At 04:48 PM 1/23/2008, Brett Payne-Rhodes wrote: >Hi Steve, > >I looked for "Adding From field to mail" in my SMTP log and didn't >find it. I realised then that it may be because I made a change to >my RCPT template to exclude emails with blank From addresses: > ><cfif (len(smtpfrom) eq 0)> > customresponse="580 Sorry, we can no longer accept email > from null addresses" > result=unknownuser > <cfexit> ></cfif> >I think this actually goes against the standards which I believe >specify that we are required to accept email from null addresses so >you may need to make your own call on that. > >As for how the email is getting to the server... Is it possible that >an attachment was opened on the server, via webmail perhaps, and >then somehow installed the virus/trojan on the server? Otherwise I'd >suspect another local machine. > >Please let us know what you find out. > >Cheers, > >Brett >B) > > >Stephen Garrett wrote: >>All, could some kind sole give me a place to look to fix this >>problem? I am tearing my hair out... >>Looks like in the last few days someone has found a hole in either >>IMS, my setup or a spam program got installed on the server. I >>suspect my setup, but am not sure where to look and could use a few >>suggestions; >>I've been running IMS for years without this problem happening. >>(Win2kSP4, IMS2.7r2) >>What appears to be happening is that IMS is receiving emails from >>the same machine the mail server is on, authenticating and relaying >>emails on. This is resulting in many thousands of emails that I >>really do not want to be happening 8^{. I am seeing something like >>the following in the SMTP log for each of these cases: >>"Adding From field to mail" >>I cannot find any reference to this string within my CFM modules so >>this must be coming from IMS. >>Sample from my log. mail.gpsnet.com is the mail server, operating >>behind a firewall. >>01/23/2008 12:16:33 PM [004] DEBUG: ->220 mail.gpsnet.com inFusion >>Mail Server SOHO v2.7.7 (r2) SN21919099-7977 ESMTP ready at Wed, 23 >>Jan 2008 12:16:33 -0800 >>01/23/2008 12:16:33 PM [004] mail [192.168.1.16] Connected (5 total) >>01/23/2008 12:16:33 PM [004] DEBUG: <-EHLO mail.gpsnet.com >>01/23/2008 12:16:36 PM [004] *** Waiting 2 seconds on HELO connection >>01/23/2008 12:16:36 PM [004] DEBUG: ->250-Pleased to meet you, >>mail.gpsnet.com >>01/23/2008 12:16:36 PM [004] DEBUG: ->250-AUTH CRAM-MD5 LOGIN >>01/23/2008 12:16:36 PM [004] DEBUG: ->250-AUTH=LOGIN >>01/23/2008 12:16:36 PM [004] DEBUG: ->250-XRCPTLIMIT 35 >>01/23/2008 12:16:36 PM [004] DEBUG: ->250 HELP >>01/23/2008 12:16:37 PM [004] DEBUG: <-MAIL FROM: >><[EMAIL PROTECTED]> >>01/23/2008 12:16:37 PM [004] DEBUG: ->250 OK >>01/23/2008 12:16:37 PM [004] DEBUG: <-RCPT TO: <[EMAIL PROTECTED]> >>01/23/2008 12:16:38 PM [004] DEBUG: ->250 OK >>01/23/2008 12:16:38 PM [004] DEBUG: <-DATA >>01/23/2008 12:16:38 PM [004] DEBUG: ->354 Send data now >>01/23/2008 12:16:38 PM [004] Adding From field to mail >>01/23/2008 12:16:39 PM [004] WARNING: ISE Error (10061): (Sock >>Connect) [10061] Connection refused >>01/23/2008 12:16:40 PM [004] DEBUG: ->250 Data received ok >>01/23/2008 12:16:40 PM [004] RELAY >>(d1aa11fca26b3d468677a7e9098624c5) mail [192.168.1.16] >><[EMAIL PROTECTED]> [EMAIL PROTECTED] 14920 >>01/23/2008 12:16:40 PM [004] DEBUG: <-QUIT >>01/23/2008 12:16:40 PM [004] DEBUG: ->221 Goodbye, mail.gpsnet.com >>01/23/2008 12:16:40 PM [004] mail [192.168.1.16] Disconnected (5 total) >> >>Thoughts anyone? >>Steve >> >>-- ==^======================================================= This list server is Powered by iMS "The Swiss Army Knife of Mail Servers" -------------------------------------------------------------------------------------- This list is provided as a free service. Although we will try to address issues in a timely manner, support via this list is not guaranteed. If you require expedited support then a support contract is required. Support may be purchased from http://www.coolfusion.com/commerce. Details regarding support options may be reviewed at: http://www.coolfusion.com/SupportOptions.cfm -------------------------------------------------------------------------------------- To leave this list please complete the form at http://www.coolfusion.com/Support/ Need an iMS Developer license? Sign up for a free license here: http://www.coolfusion.com/Developers/ List archives: http://www.coolfusion.com/cfbb/ Note: You are subscribed as archive_jab_org / [EMAIL PROTECTED] ==^=======================================================
