Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.

[Matt]

Brian,

Software firewalls can have some big issues and often alert you on 
things that are inaccurate or normal circumstances that don't pose any 
threat.  If you want to protect this server better, I would strongly 
suggest using hardware for your firewall.  Any router out there that can 
block access by port should be enough to give you outstanding 
protection.  With an IMail server, you don't need to open up but a 
handful of ports.  For my entire network which does both hosting and 
E-mail, I only have about 10 ports open to the entire world.  This 
greatly limits the chances of being hacked, and if you keep patched, you 
are almost perfectly safe.

I do have an SMTPWIN string in my registry for my root account, but not 
others.  I'm not sure what created those other strings for you.  ICMP 
packets are things like pings, and I have no clue what that alert you 
are seeing is about.  I'm thinking that it might be inaccurate.  I don't 
know though, but the best solution if you are concerned about security 
is to install a hardware based firewall which could be a device that 
calls itself a firewall or just a router that can block ports as 
described above.

Good luck,

Matt



Crejob.com wrote:

Hi, Matt

Thanks for your help,  I've rename the sender.eml before, now
follow your suggestion, I've just renamed the receip.eml.

FYI, after last time I remove the SMTPWIN string in the
registry,  my firewall prompt me Imail1.exe is changed, and
also try to response to a Indonesian IP with Protocol ICMP,
I manually block it, then the same IP tried another program
cross.exe use the same ICMP protocol, I block it again.

Regards
Brian


----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Tuesday, December 13, 2005 2:09 PM
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.


I am not aware of any exploits for 8.15 HF2 and your executable is 
the same as mine.  I'll have to take back my suggestion that you were 
hacked.  I can't explain the issues with orphaned accounts on your 
system, and considering what you indicated, I'm not convinced it is 
related to IMail1.exe and the pop-up windows.

Declude does use IMail1.exe to send out virus notifications if you 
have them configured.  You can verify this by copying down the 
addresses that you see in the window and then checking your logs for 
other such messages from or to the same addresses.  I suspect that 
you might find that these are all notifications from viruses.

If these are all virus bounces, I would suggest maybe reviewing and 
reconfiguring your use of notifications.  The only notification that 
I use is the BANNotify.eml file which is used when a banned extension 
or file name is found and the message turns up clean after being 
virus scanned. You may want to consider removing the recip.eml if you 
have that in your Declude directory.  That file is used to notify the 
recipients of a blocked virus, but it is pretty much useless and 
confusing for your users/customers.  If you have a sender.eml or 
otherpostmaster.eml in your Declude directory, I would definitely 
remove both of them.  Over 99% of viruses are forging viruses and by 
bouncing messages to forged senders or postmasters, you would be 
creating "backscatter" which is a very problematic relative of spam.  
It is almost completely safe to just block the detected viruses and 
not let anyone know about them.  Even if entering the recommended 
SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will 
definitely happen again and again unless you stay on top of this on a 
daily basis.  It's just not worth it.

At the same time, you might want to check what the current 
recommended command line should be for your virus scanner(s) since 
there have been some changes in the last year that could result in 
missed viruses if you haven't updated your command line and/or 
definition downloads.

Matt




Crejob.com wrote:

Hi, Matt

Thanks for help, FYI
1: My version is 8.15 with the latest patch.
2: I've never enable IMAP service
3: There is a firewall in place before this issue.
4: After adding SKIPIFVIRUSNAMEHAS Sober, and
remove all SMTPWIN from registry,  the problem does not
happen until now,
But the firewall report the IMAIL1.exe is changed,  I check
the date of IMAIL1.exe, it's still a modified 30 Dec 2004,
the size is 200KB (204,800 bytes) is it normal?

Regards
Brian

----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Tuesday, December 13, 2005 1:39 AM
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.


Brian,

I believe that IMail 8.15 and higher are protected from the exploit 
that you were hit with, and those versions are about a year and a 
half old now. IMail is certainly targeted on occasion by exploits 
and spammers looking to hijack servers so it is best to keep your 
server appropriately patched, and firewall it so that only the bare 
minimum traffic is allowed in and out of it.

FYI, if I recall correctly, the common hack affected those with 
IMAP enabled.  If you just simply remove the hacked accounts and 
don't patch or disable the targeted services, you will likely get 
hacked again.

Matt



Crejob.com wrote:

Actually imail1.exe created  several blank account in my system,
like t, te, tech, etc.  these accounts show up in registry and
webmail admin page, but in Imail admin and real users folder,
there is no such accounts.

In the registry, these forged accounts all have this record
SMTPWIN 20,20,524,350

looks very like the server is comprised,  but as you can
see from the imail forum message below, someone use
Regmon and captured that it is  Imail1.exe set this value.

By the way, if anybody still under the Imail warranty or service
agreement, please contact IPSWITCH to solve it as soon as
possible. Last year, 6 months prior to my warranty expiry, I
raised this issue to IPswitch tech-support,  they take quite a
few weeks to reply me 2 emails, but the problem did not solve
at all,  at that time I did not bother them too much as the
problem was not severe. These days when the same problem
pop up again, I send them an email with the same ticket No.,
tell them it's exactly the same issue,  but they refuse to give
me any answer, because my warranty is expired now.

As we can see from Imail forum list, from declude list, at least
6-7 servers affected,  and in IPSWITCH tech-support database,
there is no any record related to SMTPWIN,  so I guess they still
has no idea what really happen to Imail.

==================================
http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html 

Ok,
I think I found the process that creates the value, it looks like 
imail1.exe
is the one creating the registry entry (see below output from 
RegMon).
5083182 271.60988441 IMail1.exe:1392 CreateKey
HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster 
SUCCESS
Access: 0x2000000
5083183 271.61018287 IMail1.exe:1392 SetValue
HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN 

SUCCESS "20,20,524,350"
PV
=======================================================

----- Original Message ----- From: "Mike Wiegers" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Sunday, December 11, 2005 2:49 AM
Subject: RE: [Declude.Virus] Stranger... about imail1.exe be 
hijacked.


Brian,

Did you have the SMTPWIN entry in your registry file with part of 
the From
address that's used in your "recip.eml" file?

Mike

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
Sent: Saturday, December 10, 2005 10:17 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be 
hijacked.

Hi, Mike

You are really helpful!
I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours
before, and the problem seems disapear!
I'll keep monitor it and let you know the result. Once again,
thank you !

Regards
Brian

----- Original Message ----- From: "Mike Wiegers" <[EMAIL PROTECTED]>
To: <Declude.Virus@declude.com>
Sent: Saturday, December 10, 2005 1:49 AM
Subject: RE: [Declude.Virus] Stranger... about imail1.exe be 
hijacked.


What I think it might be is a combination of several things and 
here are
some of the common things that I have with information gathered 
on the
different lists:

Seems to of first started with IMail 8.x
Running Declude Pro, Virus (f-prot), Hijack 1.82
Sober virus seems to trigger this event along with the recip.eml 
file

IMail Client (Imail1.exe) will popup on the server with random 
address in
the To and CC field of the client. It seems that the message 
that is
trying
to be sent out is the contents of the recip.eml that Declude uses.

Will see the registry changes with the SMTPWIN entry under the 
Users. It
seems that this entry is made if you use the IMail Client on the 
server.
In
our case the entries added are part of the email address used in 
the From
field of the recip.eml.

The way we stopped this from happening was adding the 
"SKIPIFVIRUSNAMEHAS
Sober" in the "recip.eml" file.

I'm not sure why it happens on only certain servers, but that's 
what we
have
found. I haven't been convinced that the server was hacked. 
Rebuilding the
servers may of corrected the problem, but still not sure the 
servers are
being hacked.

Does anyone have the same common items having this problem?

Thanks,
Mike



________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
Sent: Friday, December 09, 2005 9:33 AM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Stranger... about imail1.exe be 
hijacked.


Maybe, but you check the maillist history, quite a few servers 
have the
same problem in the past 1.5 years. and the problem persists, if 
there is
any virus or trojan,  some antivirus program should can detect 
it now.

I suspect this is a issue of imail webmail,  that's why it 
bypass the
declude.


----- Original Message ----- From: John T (Lists) 
<mailto:[EMAIL PROTECTED]>
To: Declude.Virus@declude.com
Sent: Friday, December 09, 2005 4:15 PM
Subject: RE: [Declude.Virus] Stranger...


I do not think this is either an Imail or Declude issue, rather a
server security issue, or rather a comprise of server security.



Sounds like you have some type of virus or Trojan on that server.



John T

eServices For You



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com
Sent: Thursday, December 08, 2005 9:57 PM
To: Declude.Virus@declude.com
Subject: Re: [Declude.Virus] Stranger...



Does any body find the answer of this problem?

After 1.5 years, this problem still remain.

and IPSWITCH never give me a clear answer about it.



----- Original Message -----
From: serge <mailto:[EMAIL PROTECTED]>

To: Declude.Virus@declude.com

Sent: Tuesday, June 08, 2004 7:46 AM

Subject: Re: [Declude.Virus] Stranger...



i know imail1 is a command line mailer

but how do i find what i causing the imail 1 window to be
open and filed with all these adresses ?

see attached gif





----- Original Message -----
From: Darin Cox <mailto:[EMAIL PROTECTED]>

To: Declude.Virus@declude.com

Sent: Monday, June 07, 2004 10:21 PM

Subject: Re: [Declude.Virus] Stranger...



Does this shed any light?



http://support.ipswitch.com/kb/IM-19980119-DD10.htm


Darin.





----- Original Message -----
From: Serge <mailto:[EMAIL PROTECTED]>

To: Declude.Virus@declude.com

Sent: Monday, June 07, 2004 3:55 PM

Subject: [Declude.Virus] Stranger...



hi all

urgent help needed

I have imail1 client window ("create mail message")
pop up on my server with all kind of real and strange addresses 
in the TO:
and CC: Fields.

The windows remains open on the server desktop.

Is this a virus ? how can i identify the
service/virus/application causing this ?



TIA


---
[This E-mail was scanned for viruses by Declude EVA 
www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus".    The archives can be found
at http://www.mail-archive.com.