What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists:
Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: [email protected] Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. ----- Original Message ----- From: John T (Lists) <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: [email protected] Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. ----- Original Message ----- From: serge <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif ----- Original Message ----- From: Darin Cox <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. ----- Original Message ----- From: Serge <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
