Marc, I have the same common items as yours so it's good to see it worked for you too.
I would be interested if any Declude users that haven't had the imail1.exe pop-up's on the server and DO send the recip.eml messages for the Sober virus have the SMTPWIN entry in your registry with part of the From address. In Marc's example you would see users (if you use postmaster as the from address in the recip.eml) in the registry: p po post postmaster poastmaster@ This entry in my registry has stopped since I skip this virus notification. Thanks, Mike Windows 2000 Server Imail 8.15 HF2 Declude Virus Pro 1.82 F-Prot -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc Sent: Saturday, December 10, 2005 7:29 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Mike, thx for fix this problem with your suggestion adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file, this really helps! We had the same problem excatly 1 year before, posting here this problem and discuss on imailforum with no solution. Now after the new Sober flood two weeks ago, again all symptoms like your description, also new users was created like po, post, postma, postmaster, ... so i am sure this is a declude issue. Windows 2000 Server Imail 8.15 HF2 Declude Virus Standard 1.82 F-Prot Marc At 18:49 09.12.2005, you wrote: >What I think it might be is a combination of several things and here are >some of the common things that I have with information gathered on the >different lists: > >Seems to of first started with IMail 8.x >Running Declude Pro, Virus (f-prot), Hijack 1.82 >Sober virus seems to trigger this event along with the recip.eml file > >IMail Client (Imail1.exe) will popup on the server with random address in >the To and CC field of the client. It seems that the message that is trying >to be sent out is the contents of the recip.eml that Declude uses. > >Will see the registry changes with the SMTPWIN entry under the Users. It >seems that this entry is made if you use the IMail Client on the server. In >our case the entries added are part of the email address used in the From >field of the recip.eml. > >The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS >Sober" in the "recip.eml" file. > >I'm not sure why it happens on only certain servers, but that's what we have >found. I haven't been convinced that the server was hacked. Rebuilding the >servers may of corrected the problem, but still not sure the servers are >being hacked. > >Does anyone have the same common items having this problem? > >Thanks, >Mike > > > >________________________________ > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >Sent: Friday, December 09, 2005 9:33 AM >To: Declude.Virus@declude.com >Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > >Maybe, but you check the maillist history, quite a few servers have the >same problem in the past 1.5 years. and the problem persists, if there is >any virus or trojan, some antivirus program should can detect it now. > >I suspect this is a issue of imail webmail, that's why it bypass the >declude. > > > ----- Original Message ----- > From: John T (Lists) <mailto:[EMAIL PROTECTED]> > To: Declude.Virus@declude.com > Sent: Friday, December 09, 2005 4:15 PM > Subject: RE: [Declude.Virus] Stranger... > > > I do not think this is either an Imail or Declude issue, rather a >server security issue, or rather a comprise of server security. > > > > Sounds like you have some type of virus or Trojan on that server. > > > > John T > > eServices For You > > > > -----Original Message----- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > Sent: Thursday, December 08, 2005 9:57 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Stranger... > > > > Does any body find the answer of this problem? > > After 1.5 years, this problem still remain. > > and IPSWITCH never give me a clear answer about it. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
