[Declude.Virus] ANN: 5xxSink 0.5.01 update, IIS SMTP text-file recipient validator now supports 'nobody' wildcard domains
-- 5XXSINK Release 0.5.01 12/12/2005 * Release notes for this version: [ + Added feature] [ * Improved/changed feature ] [ - Bug fix ] [ ^ Cosmetic/naming change ] [+] Added new feature, RHS PRESCANNING, to help with processing of large recipient lists under certain circumstances. The prescan.txt file, if it exists, is scanned before the rcptlist.txt. If a match is found, processing continues in rcptlist.txt. If no match, 550 is returned immediately. If no prescan.txt is found, the feature is not enabled. The intent of prescan.txt is that it can be a global repository for allowed RHS (right-hand-side, i.e. domain) strings. You list all of your domains in prescan.txt as follows: @example.com @example.net etc. When messages are processed, they are FIRST matched against this list. This allows you to cut down the initial scan for recipients at _unknown_ domains substantially; for example, if you have 100 hosted domains with 100 users each, and you are the erroneous victim of a directory harvesting attack against a domain you DO NOT host, rejections with prescan.txt in place will take 1% of the time they if the entire rcptlist.txt were scanned! However, be somewhat careful: scanning prescan.txt does add its own overhead. If you are not concerned about such pure-DoS attacks, you will end up lengthening the lookup time for each recipient, though likely the effect would be negligible. NOTE #1: if prescan.txt is enabled, users _must_ have their domain listed in prescan.txt AND their username in rcptlist.txt (or, if they are in a wildcard domain, they must have that domain listed in prescan.txt _and_ in rcptlist.txt). NOTE #2: RHS prescanning is not the same as domain wildcards. Do not be confused. See below. [*] Official support for DOMAIN WILDCARDS. This support in fact existed previously, but I was determined to discourage people from using it, since I'm such an opponent of 'nobody' setups. Well, a few people wrote to me and changed my mind. Anyway, when you enter wildcards, you do not use the asterisk (*) character. You simply enter domain names like so: @example.com [EMAIL PROTECTED] @example.net [EMAIL PROTECTED] You may as well put your domain wildcards at the top of your list, so they get processed first. You're going to need all the help you can get processing the backscatter. . . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
The problem still exists with IMail 8.15HF2 and the combination listed in this thread. Windows 2000 Server IMail 8.15 HF2 Declude Virus Pro or Standard 1.82 F-Prot recip.eml (that sends out the sober notifications) The workaround has been to add SKIPIFVIRUSNAMEHAS Sober in the recip.eml file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 12, 2005 11:40 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182 271.60988441 IMail1.exe:1392 CreateKey HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS Access: 0x200 5083183 271.61018287 IMail1.exe:1392 SetValue HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN SUCCESS 20,20,524,350 PV === - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your recip.eml file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182 271.60988441 IMail1.exe:1392 CreateKey HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS Access: 0x200 5083183 271.61018287 IMail1.exe:1392 SetValue HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN SUCCESS 20,20,524,350 PV === - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your recip.eml file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating backscatter which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182