> > But over the course of 3 days this activity causes iMail to > > freeze the Winsock as best as I can tell. > > This is worth looking at by itself. > > What are the signs of trouble - entries in IMail's logs, entries in NT event > logs, unexpected service stops, and do any other things break at the same > time? What do you do to fix it - reboot, restart the web messaging service > (from within IMail admin or through other service controls?) ...or something > else entirely? Are you tracking performance counters? >
This is what I see 20020307 234337 Info - 192.168.1.1 GET /scripts/root.exe?/c+dir HTTP/1.0. 20020307 234337 Request processed with no user agent and no referer. 20020307 234340 Info - 192.168.1.1 GET /MSADC/root.exe?/c+dir HTTP/1.0. 20020307 234340 Request processed with no user agent and no referer. 20020307 234346 Info - 192.168.1.1 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234346 Request processed with no user agent and no referer. 20020307 234349 Info - 192.168.1.1 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234349 Request processed with no user agent and no referer. 20020307 234352 Info - 192.168.1.1 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. And the winsock stack seems to get hung. I can't connect to server from remote control client and mail delivery is delayed. I just restart all iMail services and that fixes it for about three days. > > > So if > > iMail HTTP deamon would just ignore that type of request it > > would help for sure. > > Anything except a vulnerable IIS server should already give a 404 status for > both CodeRed and Nimda attempts, and then it should carry on. That's about > as close to ignoring it as you could get without special processing (and > special processing is the opposite of ignoring). > > > I am looking into changes to firewall and using BlackIce on > > server, but this won't be a simple change on my side. > > Any chance of taking IMail off port 80? I suppose it's on 80 now for a good > reason, but taking it off would save you the worm hassles now and in the > future... iMail HTTP server is actually on 8383 (port forwarding from 80 on firewall), but that's an idea. Slight hassle for end user but may be workable at least as short term solution Regards, Dan Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
