H Eric,Not to attack you but.... was there such a big difference between the IMAP program in 8.0x and 8.1x that it could not have been fixed with a few hours work? After all the bug was identified and fixed in the the 8.2 and 8.1 version. Besides that, my understanding of "a major release" had let me to believe that 8.x versions were patched. :-( Of course one has to draw a line somewhere, and a 7.x version is old indeed but the 8.0x version are only 2 years old. I assume a lot of people are still running IMail 8.0x versions.
Besides what I wrote above.... A few weeks I got a nice email from Ipswitch informing me that according to them I had nog longer a valid service agreement, and would I not like to renew it? It would have been nice of IpSwitch to inform me at that time that I was running a vulnerable version of IMail and that malware was allready on the loose attacking this vulnerability.
Groetjes, Bonno Bloksma----- Original Message ----- From: "Eric Shanbrom" <[EMAIL PROTECTED]>
To: <[email protected]> Sent: Friday, August 12, 2005 10:59 PM Subject: Re: [IMail Forum] IMAP service stopping...
To be a little more clear..These were fixed when we got notified about them for the current released version and the major release prior to the current one. So anyone running 8.1x or better can be safe from these exploits by keeping their version up to date with the patches that they are entitled to (8.15 HF2 and 8.20 HF2).Hope that helps Eric S----- Original Message ----- From: "dstrz " <[EMAIL PROTECTED]>To: <[email protected]> Sent: Friday, August 12, 2005 4:02 PM Subject: RE: [IMail Forum] IMAP service stopping...I'm not sure if I am interpreting your reponse correctly. Do you mean...the user's responsibility to keep their existing version up-to-date by applying patches released by Ipswitch to address security vulnerabilities in their software with known exploits in the wildOrthe user's responsibility to open their wallet to the tune of $10,000 (give or take) at the software developer's whim, or whenever they decide to change the definition of "current version."Can you clarify? -Dave -----Original Message-----From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric ShanbromSent: Friday, August 12, 2005 3:48 PM To: [email protected] Subject: Re: [IMail Forum] IMAP service stopping...A better fix would be to keep IMail up to date. These were addressed in thecurrent version Eric S----- Original Message ----- From: "dstrz " <[EMAIL PROTECTED]>To: <[email protected]> Sent: Friday, August 12, 2005 12:37 PM Subject: Re: [IMail Forum] IMAP service stopping...FYI - I am running a fully-patched Win2000 server (SP4 & all critical updates) and I got hit this morning with this exploit. Someone crashed the IMAP service and dropped a Trojan (rpcmon.exe) on my server.My HOSTS file was FUBAR and there were 30-or-so TCP ports listening in the1100-1130 range, presumably for IRC. Fortunately those ports are firewalled to the Internet, but I'm still cleaning up.I modified the IMAP "Hello Message" to remove any reference to "IMail" ina security-through-obscurity act of desperation, but of course the vulnerability still exists. Thanks, Ipswitch! -Dave --------------------------- Re: [IMail Forum] IMAP service stopping... Russ Uhte Tue, 09 Aug 2005 07:56:20 -0700 Bonno Bloksma wrote: Hi, So THAT is the way these trojans are getting into my mailserver... :-(((( Sophos is getting them but I was unable to find the attac vector. That's it. According to the source code, it's only a DoS on Windows 2000 SP2 or greater. On anything prior to that, it actually spawns a reverse shell to the attacker. At that point, you're rooted. If the attacker'ssmart enough, you'll never be able to clean that machine without a formatre-install. Grrrrrrr. So it seesm this bug is only fixed in IMail 8.2 and was neverfixed in earlier versions. Might have been nice of Ipswitch to have a BIGwarning on their site to tell us about his. I had heard about a buffer overflow in IMail but was unable to verify which parts were vulnerable.I'll be on the phone with them in a few minutes to see what action I needto take.Luckily, I was running SP2 when I got hit, so it was only a DoS for me. Idon't have a bunch of people using IMAP, so I just shut the service downcompletely. Obviously that's not an option for a shop that relies heavily on IMAP. I'm running 8.15, with no plans to upgrade to another version ofIMail. I didn't like the way the company was going, and I sure wasn't gonna spend more money for a product I didn't believe in. Let us know what they tell you.People.... there ARE worms loose using this vulnerability to penetrate themailserver. Sophos reports it as Troj/ServU-Gen. My biggest concern was what if this would have been a POP3 vuln. I would have been toast. I can't take that chance on my server. Therefore, qmail :) Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.htmlList Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.htmlList Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.htmlList Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [E-mail scanned at tio.nl for viruses by Declude Virus]
--- [E-mail scanned at tio.nl for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
