My Imail server keep pop up a Create Mail Message, it's
seems that Imail1.exe is exploit by someone to try send
out spam.
I try to limit the imail1.exe user permission, but this will
result the webmail can not send out email.
Any advice on how to solve this problem?
Regards
Brian
---
[This
Any advice on how to solve this problem?
This has been discussed on the Imail forum in the recent past.
See a direct search of the archives with many posts about this at:
http://www.mail-archive.com/cgi-bin/htsearch?config=imail_forum_list_ipswitch_comrestrict=exclude=words=imail1.exe+hacked
we had the same issue few month ago
i suspected problem from declude because the addresses that appear in the
open imail1 window looked like ones that would be generated by declude
notifications (or maybe imail gses ?)
anyway, rebooting the server resolved the issue back then
Unfortunatly, since
This is odd, odd because my server has this problem also and I called
Ipswitch about it and they said that my server was the only one having the
problems. It had it several months ago (and called) and then started again
(and called). Those are the only calls to tech support in the past several
We had same issue, then mysteriously got fixed.
Imail was aware of it as we had opened ticket.
Everytime this would happen, the affected domain registry entry would have
some weird users and entries (dont recall exactly but if you search the
archives you will find the post).
PV
- Original
same here after the update to 8.14 and hf1
marc
At 15:57 24.11.2004, you wrote:
We had same issue, then mysteriously got fixed.
Imail was aware of it as we had opened ticket.
Everytime this would happen, the affected domain registry entry would have
some weird users and entries (dont recall
I'm now quite sure that it is caused by a clients PC virus,
I use the specific email string to search the sys*.txt log,
and found it come from 1 IP,
I block this IP in my firewall, then this problem dispear,
but the problem is from the IP I can not identify the
clients PC name, because virus using
I am still 8.13, got the problem, should not be the new problem
of 8.14, I think it's problem of new virus
- Original Message -
From: marc [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 24, 2004 11:22 PM
Subject: Re: [Declude.Virus] about Imail1.exe security issue
i think thats not by a clients PC virus. i got just right the ip using the
imail1.exe to existing and no existing users (217.255.255.100) searching
the log*.txt
itsd using different pc names
sorry about this post, because this is not a declude issue
marc
At 16:45 24.11.2004, you wrote:
Sorry, i don't get your meaning, why you think it's not by a client PC
virus?
virus always change the PC name if using it's own SMTP engine, also, the
IP maybe a broadband shared in a network, and several PCs in the
network maybe all infected.
In my case, I just found that IP is infected by
Downloaded F-Prot 3.16 yesterday and changed our configuration accordingly
(I think). I've got something messed up. Not detecting viruses. The log
shows virus free on every message. I'm getting emails from customers
reporting threats getting through. I have strugged with f-stop but it is
not
I don't know why there wasn't a post about this here, but there's been a
discussion in Declude.Junkmail about this issue as well.
The problem I had was with my command line settings for F-Prot. The Declude
manual used to give the command calling for f-prot.exe in the command
line. However in
Downloaded F-Prot 3.16 yesterday and changed our configuration accordingly
(I think). I've got something messed up. Not detecting viruses.
Did you switch from F-Prot.exe to fpcmd.exe? If so, you'll need to remove
the /NOBOOT switch from the SCANFILE line in your virus.cfg file.
The log
Did you switch from F-Prot.exe to fpcmd.exe? If so, you'll need to
remove the /NOBOOT switch from the SCANFILE
line in your virus.cfg file.
Scott,
Did the removal of the /NOBOOT switch just start with the 3.16 version? I
still have this in my fpcmd.exe line. It also shows that switch on the
This is what I had: SCANFILEC:\Progra~1\fsi\f-prot\fpcmd.exe /nomem
/noself /arc /report=report.txt
So, of course I realized I was a complete idiot had it still set for AVG.
So, I changed it according to my manual (yes, the MANUAL). Now I have:
SCANFILE
Okay, made the change and it was good for a minute or two then back to:
11/24/2004 10:41:45 Qc7d80b560070ec4e WARNING: F-Stop is running, please
disable it (you may need to reinstall F-Prot and disable the Realtime
Protector to disable it), or it will interfere with Declude.
I have reinstalled
Hello.
I made the required changes but now suddenly get the following in the VIRUS
log:
11/24/2004 11:46:20 Qc8de001001d4d5de MIME file: [text/html][7Bit;
Length=844 Checksum=76503]
11/24/2004 11:46:20 Qc8de001001d4d5de 1 [1 of 2 not deleted] files were
deleted. You should not use an on-access
your are right about the virus always change the PC name, but its very
strange, that sending to different domains on our imail!? like Dictionary
Attacks trough webmail...
At 17:25 24.11.2004, you wrote:
Sorry, i don't get your meaning, why you think it's not by a client PC
virus?
virus always
Are you using the F-prot real-time protector? If so, you should disable it.
Darin.
- Original Message -
From: Jim Nitterauer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 24, 2004 12:49 PM
Subject: RE: [Declude.Virus] Not detecting viruses
Hello.
I made the
OOOPs
Just got this.
FRISK Software has released version 3.16a of F Prot Antivirus for Windows.
More information on this release can be found on our
website:
http://www.f-prot.com/news/gen_news/041124_release_win316a.html
We recommend that users of F-Prot Antivirus for Windows update their
Did the removal of the /NOBOOT switch just start with the 3.16 version? I
still have this in my fpcmd.exe line. It also shows that switch on the
Declude Online Manual.
It's the /NOFLOPPY switch that must be used with F-Prot.exe and must not be
used with fpcmd.exe.
/NOBOOT can (and should) be
Easier said than done... I'm having the same problem. I can get it to work
properly temporarily. I've disabled, I've reinstalled w/o real-time
protection. Still struggling.
~Katie
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent:
I made the required changes but now suddenly get the following in the VIRUS
log:
11/24/2004 11:46:20 Qc8de001001d4d5de 1 [1 of 2 not deleted] files were
deleted. You should not use an on-access virus scanner that scans the IMail
directory or sub-directories.
This means that either [1] You're
Darin,
The real time protector is not installed.
Thanks
Jim Nitterauer
President
Creative Data Concepts Limited, Inc.
3 W. Garden Street
Suite 326
Pensacola, FL 32502
http://www.creativedata.net
850-434-7645
800-607-6168
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Here are the relevant lines for the config file:
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3
/NOBOOT /NOFLOPPY /DUMB /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT Infection:
Please advise. Thanks
Jim Nitterauer
President
Creative Data Concepts Limited,
Here are the relevant lines for the config file:
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=3
/NOBOOT /NOFLOPPY /DUMB /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT Infection:
Those log file entries appear correct; have you triple-checked that you are
not
Here is the output of the diag:
Declude 1.81 (C) Copyright 2000-2004 Computerized Horizons.
Diagnostics ON (Declude v1.81).
Declude JunkMail: Config file found (C:\IMail\Declude\global.CFG).
Declude Virus: Config file found (C:\IMail\Declude\Virus.CFG).
Declude Hijack:Not installed
Here is the output of the diag:
That shows that there is no on-access scanner interfering.
Is the SCANFILE line all on one line (starting with SCANFILE and ending in
report.txt)? Are there any errors/warnings in the log file?
-Scott
---
One of my co-workers just got into the office, logged onto the mail server
via Remote Desktop (as I am logged on) and the Real Time Protector popped
up. I have reinstalled it a number of times de-selecting the Real Time
Protector but we continue to struggle with the real time protector running
Any ideas on how I might change my configuration so this doesn't happen?
Have you tried uninstalling and reinstalling? If I recall correctly, old
versions of F-Prot that were installed with the RealTime Protector had to
be uninstalled and then re-installed with the RealTime Protector disabled
I changed my scan line to:
SCANFILE C:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /ARCHIVE=3 /DUMB
/REPORT=report.txt
The errors in the log file are gone and the scanner is trapping more
viruses. Not sure why removing /NOMEM /NOBOOT /NOFLOPPY makes any
difference. I cannot see where these are
I also noticed that the fpcmd.exe does not write directories to the disk any
longer.
Jim Nitterauer
President
Creative Data Concepts Limited, Inc.
3 W. Garden Street
Suite 326
Pensacola, FL 32502
http://www.creativedata.net
850-434-7645
800-607-6168
-Original Message-
From: [EMAIL
I copied your scan line. Looks much better.
I'm still worried that the real time protector is going to come back on me,
though...
~Katie
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Nitterauer
Sent: Wednesday, November 24, 2004 12:39 PM
To:
- Original Message -
From: Jim Nitterauer [EMAIL PROTECTED]
I will try that.
Yes, I checked to make sure.
I also looked at the supported options for fpcmd.exe
The following are not supported:
/nomem
/noboot
/nofloppy
Are these soemthing that you have indluced within Declude?
Thanks for the clarification.
Jim Nitterauer
President
Creative Data Concepts Limited, Inc.
3 W. Garden Street
Suite 326
Pensacola, FL 32502
http://www.creativedata.net
850-434-7645
800-607-6168
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill
Hmmm...the log entry you indicated is suggesting that you either have the
real-time protector enabled, or perhaps you have a script running that
cleans up the spool directory.
Darin.
- Original Message -
From: Jim Nitterauer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday,
I've tried the link several times and don't seem to be getting anywhere.
The news release about 3.16a comes up, directs you to the Updates page, but
when I log in the updates page only offers 3.16 dated November 17th.
Anyone have a direct link to the update?
Thanks,
Rodney Bertsch
IS
I'm getting that same issue. The updater doesn't find anything either.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodney Bertsch
Sent: Wednesday, November 24, 2004 4:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Issues with F-prot 3.16
I emailed them and the response was that their servers were overloaded.
Jim Nitterauer
President
Creative Data Concepts Limited, Inc.
3 W. Garden Street
Suite 326
Pensacola, FL 32502
http://www.creativedata.net
850-434-7645
800-607-6168
-Original Message-
From: [EMAIL PROTECTED]
The updated version is there now. I sent F-Prot support an e-mail asking
why they would send out an update notification before they actually posted
the updated version for download - got a canned auto-reply...
Bill
- Original Message -
From: Rodney Bertsch [EMAIL PROTECTED]
To: [EMAIL
40 matches
Mail list logo
