Thank you very much for this advice and my apologies for using the wrong message subject.
I am investigating your suggestions and we are installing a new antivirus program this afternoon. I must say I was good with this sort of thing in my day but do not have the latest playbook to deal with these issues. Nevertheless I am doing my best to figure out what's going on. I suspect the problems are quite solvable to someone who is up on current email issues. I have hosted the latest log file off our Web site--hoping you or someone can have a look and offer a bit more advice. In the mean time I am following your suggestions and will continue to explore myself. Log file: www.drivearoundtheworld.com/imail/log0206.txt Here is my take: 1. I suspect the built-in account that Imail uses to handle list subscribes has been compromised. How this is possible I do not know. [EMAIL PROTECTED] I am seeing many messages sent to this 'user' and many attempts by this 'user' to send mail. 2. Also, we have three email lists and I see many attempts by list owners to send mail. Perhaps these accounts have been compromised. If so how can their passwords be changed? I could disable the lists until the problem is sorted but I cannot disable the built in Imail account. 3. Since we are running 8.15 perhaps we are running into the CBL list vs. Imail issue that I have been reading about. Apparently CBL blacklists Imail servers due to the way virtual domains issue their HELO answer. Many many thanks, Nick Baggarly Drive Around the World www.drivearoundtheworld.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Tuesday, February 06, 2007 2:11 AM To: Nick Baggarly Subject: Re: [IMail Forum] Imail vulnerability, or do we have a Virus > Hi. I would kindly appreciate some help diagnosing a problem that's been > going on for some time now. We have version 8.15 of Imail Server and > having problems delivering some mail messages. We are seeing many > messages in the log like these: First off, I have to say this: if you want the fastest help, don't hijack threads with other topics! But, anyway... there isn't much "diagnosis" that you need to do -- the logs have done the diagnosis for you. Your IP 209.237.50.61 is on a number of significant blacklists: http://www.dnsstuff.com/tools/ip4r.ch?ip=209.237.50.61 All of the blacklists mention that you spam has been sent from that server recently and repeatedly. Who's doing it? Scan your logs for users sending aberrant numbers of messages. Check off-hours logins that may point to hijacked accounts / find non-matching authenticated user + subsequent MAIL FROM / any MAIL FROMs from non-local domains. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ease/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nload/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
