[Responding to several of Timothy's posts at once]
I am having trouble wth a spammer, my webmail keeps crashing, big trouble for me.Note that spam issues and webmail issues are separate about 99.9% of the time (the other .1% being if you have web messaging users who send spam, but that's primarily a policy issue).
I deactivate smtp, even rename the files and all he does is kill imail webmessaging everytime.If you deactivated SMTP and web messaging stopped, then the spammer is accessing web messaging. It's virtually impossible for the SMTPD service to stop the web messaging service if the SMTPD service is stopped.
> I myself know of about 15 exploits for imail, and have insulated myself, by locking down all but a few selected tcp, udp ports.
It sounds like you are a self-proclaimed security expert. Yes, over time there may have been close to 15 exploits for IMail (versus 100s or 1,000s for IIS). However, if you have protected yourself by blocking UDP ports, you are dealing with non-IMail issues (IMail does respond on any UDP ports). If you blocked TCP ports and it fixed the problem, you are also dealing with non-IMail issues (unless you simply blocked access to services with problems, which could also be done by turning off those services).
> imail 7.14 logs: (mind you none of those ports are live) this is today, i have the ONLY account on the box that is active,
> so why the long logfiles?
Because a spammer was trying to harvest addresses from your server; typically, they try 100,000's of addresses. That's going to take a lot of log file space.
But you also claim that there are 500,000 files in the spool directory, which would indicate that something else was going on as well.
> 02:15 03:54 SMTPD(005300F2) [61.30.68.50] ERR [MYDOMAIN].com invalid user <[EMAIL PROTECTED]
What you show actually isn't a dictionary attack -- it is a relay attempt. This log entry shows that IMail was not relaying E-mail. However, given that the spammer is desperately trying to relay E-mail, I'm guessing you were letting him for quite some time. Otherwise, why would the spammer try to relay through a server that doesn't allow relaying?
> Seems like it is relaying
I hate to tell you, but you can't be a security expert if you don't know whether or not the relaying was working.
Type:
find "rdeliver" sys0215.txt /i /c
find "RCPT TO" sys0215.txt /i /c
This will tell you how many outgoing E-mails there were (first line), and the number of attempted outgoing E-mails (second line).
> seems like a portsniffer was used
No need to try talking like a security expert here. A port sniffer is used on a target machine to find out what ports are open. In this case, the spammer just wanted port 25, so he had no need for a port sniffer.
> as you can see, he changes ips every few minutes
Most likely, this is a DDoS spam attack, where the spammer has hundreds/thousands of compromised servers. He isn't changing IPs, just coming from lots of IPs.
> even if it is a dictionary attack, I find think it might take about 100 years to reach my password in mixed case
"Dictionary attack", when used in the context of a mailserver, refers to a spammer that is harvesting addresses (IE using a 'dictionary' to come up with potentially valid names). He is not looking for your password.
> This is a very clean install, just iis, imail sql on the box, as it is to be kept clean being used as a development server.
That could be why web messaging is crashing -- unless you are *VERY* familiar with SQL, it will consume all the available memory on the server.
> just remind me if this is a dictionary attack why webmail would crash if i keep changing the port...?
Because that is an unrelated issue (unless the DDoS spam attack is just using up too many resources).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
