Hi there, What I have done as well as "Sunkist" was to install IIS and redirected to another port. This is what we did:
>From Sunkist: >I checked the logs and Imail was getting hit with massive junk... ie. >http:\\domain.com\scripts\Msd.exe?!@#?@!?# type things every second which >rendered the server disabled... I setup IIS on the machine redirected all >traffic to http:\\mail.domain.com:81 and no problem so far.. After that I >run IIS lockdown and enabled the url filter to filter out all that junk.. >This isn't a official fix of course, but it does solve Imail not handling >the requests. Hope this helps until something is figured out. Jeff ****************************************************************** TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ****************************************************************** ----- Original Message ----- From: "Michael Thomas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 05, 2002 8:10 PM Subject: Re: [IMail Forum] Web Messaging going nuts > Hi Guys, > > I have been having this problem as well. It is a SYN attack, > which is a DOS (Denial Of Service) attack. > It seems that the IMAIL 6.06 Web Messaging Server is susceptible to a SYN > attack. > I would be interested in hearing if IMAIL 7.0x is susceptible... > > For those that don't know what a SYN attack is, a remote node > initiates a TCP/IP conversation by sending a SYN packet. > Normally, the conversation continues with the server replying, > then the remote node continues the conversation, etc. > In a SYN attack, the remote node sends the SYN packet > and then stops reesponding, which basically locks up > Web Messaging. > > If I block the IP address at our router, the problem goes away. > > You can detect it a couple of ways, but the easiest is if you have multiple > IP addresses on your mail server. At the command prompt, type: > > C:> netstat -a -n > > Likely you will see many, many lines, but should be able to see: > TCP xxx.xxx.xxx.xxx:80 yyy.yyy.yyy.yyy:nnn SYN_RECEIVED > > xxx.xxx.xxx.xxx represents one of your IP Addresses and the :80 means port > 80 (your web port). > > yyy.yyy.yyy.yyy:nnn represents the IP Address of the remote node and the > :nnn is the port they used. > > The SYN_RECEIVED is the socket state. > > If you have multiple IP Addresses, you will likely see several of your IP > addresses in the > SYN_RECEIVED state. > > Type the "netstat -a -n" command two or three times. > If you see the same sets of addresses in the SYN_RECEIVED state over and > over, > then you have been attacked. > > Mike > > ----- Original Message ----- > From: "Sunkist" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 05, 2002 8:00 PM > Subject: Re: [IMail Forum] Web Messaging going nuts > > > We are having this same problem as well... The initial login page works, > then doesn't. Then reload it works, then it doesn't.. I too suspect some > code red type problem. We are running an Imail dedicated machine, no IIS. > > Win 2K, 1GB Ram, Dual Pentium CPU, Imail 7.05 HF2 > > Sunkist > > > ----- Original Message ----- > From: "Jeff Kratka" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 05, 2002 3:49 PM > Subject: [IMail Forum] Web Messaging going nuts > > > > Hi, > > > > Over the past couple of days my web messaging service has been going up > and > > down. I have checked into the logs and don't see anything abnormal. It > looks > > like the Code Red type of problem but again I can't see anything in the > > logs. > > > > Running AMD 600, Win2k AS, 256RAM, Imail v6.06 > > > > Suggestions? > > > > > > Jeff > > ****************************************************************** > > TymeWyse Internet > > P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 > > tel/fax: (541) 839-6027 - [EMAIL PROTECTED] > > ****************************************************************** > > > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > > to be removed from this list. > > > > An Archive of this list is available at: > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
