Brian,
Software firewalls can have some big issues and often alert you on
things that are inaccurate or normal circumstances that don't pose any
threat. If you want to protect this server better, I would strongly
suggest using hardware for your firewall. Any router out there that can
block access by port should be enough to give you outstanding
protection. With an IMail server, you don't need to open up but a
handful of ports. For my entire network which does both hosting and
E-mail, I only have about 10 ports open to the entire world. This
greatly limits the chances of being hacked, and if you keep patched, you
are almost perfectly safe.
I do have an SMTPWIN string in my registry for my root account, but not
others. I'm not sure what created those other strings for you. ICMP
packets are things like pings, and I have no clue what that alert you
are seeing is about. I'm thinking that it might be inaccurate. I don't
know though, but the best solution if you are concerned about security
is to install a hardware based firewall which could be a device that
calls itself a firewall or just a router that can block ports as
described above.
Good luck,
Matt
Crejob.com wrote:
Hi, Matt
Thanks for your help, I've rename the sender.eml before, now
follow your suggestion, I've just renamed the receip.eml.
FYI, after last time I remove the SMTPWIN string in the
registry, my firewall prompt me Imail1.exe is changed, and
also try to response to a Indonesian IP with Protocol ICMP,
I manually block it, then the same IP tried another program
cross.exe use the same ICMP protocol, I block it again.
Regards
Brian
- Original Message - From: "Matt" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, December 13, 2005 2:09 PM
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
I am not aware of any exploits for 8.15 HF2 and your executable is
the same as mine. I'll have to take back my suggestion that you were
hacked. I can't explain the issues with orphaned accounts on your
system, and considering what you indicated, I'm not convinced it is
related to IMail1.exe and the pop-up windows.
Declude does use IMail1.exe to send out virus notifications if you
have them configured. You can verify this by copying down the
addresses that you see in the window and then checking your logs for
other such messages from or to the same addresses. I suspect that
you might find that these are all notifications from viruses.
If these are all virus bounces, I would suggest maybe reviewing and
reconfiguring your use of notifications. The only notification that
I use is the BANNotify.eml file which is used when a banned extension
or file name is found and the message turns up clean after being
virus scanned. You may want to consider removing the recip.eml if you
have that in your Declude directory. That file is used to notify the
recipients of a blocked virus, but it is pretty much useless and
confusing for your users/customers. If you have a sender.eml or
otherpostmaster.eml in your Declude directory, I would definitely
remove both of them. Over 99% of viruses are forging viruses and by
bouncing messages to forged senders or postmasters, you would be
creating "backscatter" which is a very problematic relative of spam.
It is almost completely safe to just block the detected viruses and
not let anyone know about them. Even if entering the recommended
SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will
definitely happen again and again unless you stay on top of this on a
daily basis. It's just not worth it.
At the same time, you might want to check what the current
recommended command line should be for your virus scanner(s) since
there have been some changes in the last year that could result in
missed viruses if you haven't updated your command line and/or
definition downloads.
Matt
Crejob.com wrote:
Hi, Matt
Thanks for help, FYI
1: My version is 8.15 with the latest patch.
2: I've never enable IMAP service
3: There is a firewall in place before this issue.
4: After adding SKIPIFVIRUSNAMEHAS Sober, and
remove all SMTPWIN from registry, the problem does not
happen until now,
But the firewall report the IMAIL1.exe is changed, I check
the date of IMAIL1.exe, it's still a modified 30 Dec 2004,
the size is 200KB (204,800 bytes) is it normal?
Regards
Brian
- Original Message - From: "Matt" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, December 13, 2005 1:39 AM
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Brian,
I believe that IMail 8.15 and higher are protected from the exploit
that you were hit with, and those versions are about a year and a
half old now. IMail is certainly targeted on occasion by exploits
and spammers looking to hijack servers so it is best to keep your
server appropriately patched, and firewall it so that only the bare
minimum traffic is allowed in and out of it.
FYI,