Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Brian, Software firewalls can have some big issues and often alert you on things that are inaccurate or normal circumstances that don't pose any threat. If you want to protect this server better, I would strongly suggest using hardware for your firewall. Any router out there that can block access by port should be enough to give you outstanding protection. With an IMail server, you don't need to open up but a handful of ports. For my entire network which does both hosting and E-mail, I only have about 10 ports open to the entire world. This greatly limits the chances of being hacked, and if you keep patched, you are almost perfectly safe. I do have an SMTPWIN string in my registry for my root account, but not others. I'm not sure what created those other strings for you. ICMP packets are things like pings, and I have no clue what that alert you are seeing is about. I'm thinking that it might be inaccurate. I don't know though, but the best solution if you are concerned about security is to install a hardware based firewall which could be a device that calls itself a firewall or just a router that can block ports as described above. Good luck, Matt Crejob.com wrote: Hi, Matt Thanks for your help, I've rename the sender.eml before, now follow your suggestion, I've just renamed the receip.eml. FYI, after last time I remove the SMTPWIN string in the registry, my firewall prompt me Imail1.exe is changed, and also try to response to a Indonesian IP with Protocol ICMP, I manually block it, then the same IP tried another program cross.exe use the same ICMP protocol, I block it again. Regards Brian - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 2:09 PM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating "backscatter" which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Hi, Matt Thanks for your help, I've rename the sender.eml before, now follow your suggestion, I've just renamed the receip.eml. FYI, after last time I remove the SMTPWIN string in the registry, my firewall prompt me Imail1.exe is changed, and also try to response to a Indonesian IP with Protocol ICMP, I manually block it, then the same IP tried another program cross.exe use the same ICMP protocol, I block it again. Regards Brian - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 2:09 PM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating "backscatter" which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
I am not aware of any exploits for 8.15 HF2 and your executable is the same as mine. I'll have to take back my suggestion that you were hacked. I can't explain the issues with orphaned accounts on your system, and considering what you indicated, I'm not convinced it is related to IMail1.exe and the pop-up windows. Declude does use IMail1.exe to send out virus notifications if you have them configured. You can verify this by copying down the addresses that you see in the window and then checking your logs for other such messages from or to the same addresses. I suspect that you might find that these are all notifications from viruses. If these are all virus bounces, I would suggest maybe reviewing and reconfiguring your use of notifications. The only notification that I use is the BANNotify.eml file which is used when a banned extension or file name is found and the message turns up clean after being virus scanned. You may want to consider removing the recip.eml if you have that in your Declude directory. That file is used to notify the recipients of a blocked virus, but it is pretty much useless and confusing for your users/customers. If you have a sender.eml or otherpostmaster.eml in your Declude directory, I would definitely remove both of them. Over 99% of viruses are forging viruses and by bouncing messages to forged senders or postmasters, you would be creating "backscatter" which is a very problematic relative of spam. It is almost completely safe to just block the detected viruses and not let anyone know about them. Even if entering the recommended SKIPIFVIRUSNAMEHAS Sober entry helped your current situation, it will definitely happen again and again unless you stay on top of this on a daily basis. It's just not worth it. At the same time, you might want to check what the current recommended command line should be for your virus scanner(s) since there have been some changes in the last year that could result in missed viruses if you haven't updated your command line and/or definition downloads. Matt Crejob.com wrote: Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registr
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Hi, Matt Thanks for help, FYI 1: My version is 8.15 with the latest patch. 2: I've never enable IMAP service 3: There is a firewall in place before this issue. 4: After adding SKIPIFVIRUSNAMEHAS Sober, and remove all SMTPWIN from registry, the problem does not happen until now, But the firewall report the IMAIL1.exe is changed, I check the date of IMAIL1.exe, it's still a modified 30 Dec 2004, the size is 200KB (204,800 bytes) is it normal? Regards Brian - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, December 13, 2005 1:39 AM Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182 271.60988441 IMail1.exe:1392 CreateKey HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS Access: 0x200 5083183 271.61018287 IMail1.exe:1392 SetValue HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN SUCCESS "20,20,524,350" PV === - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your "recip.eml" file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
The problem still exists with IMail 8.15HF2 and the combination listed in this thread. Windows 2000 Server IMail 8.15 HF2 Declude Virus Pro or Standard 1.82 F-Prot recip.eml (that sends out the sober notifications) The workaround has been to add "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 12, 2005 11:40 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: > Actually imail1.exe created several blank account in my system, > like t, te, tech, etc. these accounts show up in registry and > webmail admin page, but in Imail admin and real users folder, > there is no such accounts. > > In the registry, these forged accounts all have this record > SMTPWIN 20,20,524,350 > > looks very like the server is comprised, but as you can > see from the imail forum message below, someone use > Regmon and captured that it is Imail1.exe set this value. > > By the way, if anybody still under the Imail warranty or service > agreement, please contact IPSWITCH to solve it as soon as > possible. Last year, 6 months prior to my warranty expiry, I > raised this issue to IPswitch tech-support, they take quite a > few weeks to reply me 2 emails, but the problem did not solve > at all, at that time I did not bother them too much as the > problem was not severe. These days when the same problem > pop up again, I send them an email with the same ticket No., > tell them it's exactly the same issue, but they refuse to give > me any answer, because my warranty is expired now. > > As we can see from Imail forum list, from declude list, at least > 6-7 servers affected, and in IPSWITCH tech-support database, > there is no any record related to SMTPWIN, so I guess they still > has no idea what really happen to Imail. > > == > http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html > Ok, > I think I found the process that creates the value, it looks like > imail1.exe > is the one creating the registry entry (see below output from RegMon). > 5083182 271.60988441 IMail1.exe:1392 CreateKey > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS > Access: 0x200 > 5083183 271.61018287 IMail1.exe:1392 SetValue > HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN > SUCCESS "20,20,524,350" > PV > ======= > > ----- Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> > To: > Sent: Sunday, December 11, 2005 2:49 AM > Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > >> Brian, >> >> Did you have the SMTPWIN entry in your registry file with part of the >> From >> address that's used in your "recip.eml" file? >> >> Mike >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >> Sent: Saturday, December 10, 2005 10:17 AM >> To: Declude.Virus@declude.com >> Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. >> >> Hi, Mike >> >> You are really helpful! >> I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours >> before, and the problem seems disapear! >> I'll keep monitor it and let you know the result. Once again, >> thank you ! >> >> Regards >> Brian >> >> - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> >> To: >> Sent: Saturday, December 10, 2005 1:49 AM >> Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. >> >> >>> What I think it might be is a combination of several things and here >>> are >>> some of the common things that I have with information gathered on the >>> different lists: >>> >>> Seems to of first started with IMail 8.x >>> Running Declude Pro,
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Brian, I believe that IMail 8.15 and higher are protected from the exploit that you were hit with, and those versions are about a year and a half old now. IMail is certainly targeted on occasion by exploits and spammers looking to hijack servers so it is best to keep your server appropriately patched, and firewall it so that only the bare minimum traffic is allowed in and out of it. FYI, if I recall correctly, the common hack affected those with IMAP enabled. If you just simply remove the hacked accounts and don't patch or disable the targeted services, you will likely get hacked again. Matt Crejob.com wrote: Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182 271.60988441 IMail1.exe:1392 CreateKey HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS Access: 0x200 5083183 271.61018287 IMail1.exe:1392 SetValue HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN SUCCESS "20,20,524,350" PV === - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your "recip.eml" file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, Dece
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Actually imail1.exe created several blank account in my system, like t, te, tech, etc. these accounts show up in registry and webmail admin page, but in Imail admin and real users folder, there is no such accounts. In the registry, these forged accounts all have this record SMTPWIN 20,20,524,350 looks very like the server is comprised, but as you can see from the imail forum message below, someone use Regmon and captured that it is Imail1.exe set this value. By the way, if anybody still under the Imail warranty or service agreement, please contact IPSWITCH to solve it as soon as possible. Last year, 6 months prior to my warranty expiry, I raised this issue to IPswitch tech-support, they take quite a few weeks to reply me 2 emails, but the problem did not solve at all, at that time I did not bother them too much as the problem was not severe. These days when the same problem pop up again, I send them an email with the same ticket No., tell them it's exactly the same issue, but they refuse to give me any answer, because my warranty is expired now. As we can see from Imail forum list, from declude list, at least 6-7 servers affected, and in IPSWITCH tech-support database, there is no any record related to SMTPWIN, so I guess they still has no idea what really happen to Imail. == http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85387.html Ok, I think I found the process that creates the value, it looks like imail1.exe is the one creating the registry entry (see below output from RegMon). 5083182 271.60988441 IMail1.exe:1392 CreateKey HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster SUCCESS Access: 0x200 5083183 271.61018287 IMail1.exe:1392 SetValue HKLM\SOFTWARE\Ipswitch\IMail\Domains\domain.com\Users\postmaster\SMTPWIN SUCCESS "20,20,524,350" PV === - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your "recip.eml" file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Yes, I saw some SMTPWIN entry in the registry. And here is a article talking about it. http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg102077.html - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Sunday, December 11, 2005 2:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your "recip.eml" file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA --- [This E-mail was scanned for viruses
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Is this a Declude issue or an IMail issue? I'm using Declude 3.0.5.22 with the latest version of SmarterMail, and I haven't seen this behavior at all. Have any other SmarterMail users out there seen this behavior? Gary Original Message > From: marc <[EMAIL PROTECTED]> > Sent: Saturday, December 10, 2005 8:33 AM > To: Declude.Virus@declude.com > Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > Mike, thx for fix this problem with your suggestion adding the > "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file, this really helps! > > We had the same problem excatly 1 year before, posting here this problem and > discuss on imailforum with no solution. Now after the new Sober flood two > weeks ago, again all symptoms like your description, also new users was > created like po, post, postma, postmaster, ... > > so i am sure this is a declude issue. > > Windows 2000 Server > Imail 8.15 HF2 > Declude Virus Standard 1.82 > F-Prot > > Marc > > > At 18:49 09.12.2005, you wrote: > >What I think it might be is a combination of several things and here are > >some of the common things that I have with information gathered on the > >different lists: > > > >Seems to of first started with IMail 8.x > >Running Declude Pro, Virus (f-prot), Hijack 1.82 > >Sober virus seems to trigger this event along with the recip.eml file > > > >IMail Client (Imail1.exe) will popup on the server with random address in > >the To and CC field of the client. It seems that the message that is trying > >to be sent out is the contents of the recip.eml that Declude uses. > > > >Will see the registry changes with the SMTPWIN entry under the Users. It > >seems that this entry is made if you use the IMail Client on the server. In > >our case the entries added are part of the email address used in the From > >field of the recip.eml. > > > >The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS > >Sober" in the "recip.eml" file. > > > >I'm not sure why it happens on only certain servers, but that's what we have > >found. I haven't been convinced that the server was hacked. Rebuilding the > >servers may of corrected the problem, but still not sure the servers are > >being hacked. > > > >Does anyone have the same common items having this problem? > > > >Thanks, > >Mike > > > > > > > > > > > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > >Sent: Friday, December 09, 2005 9:33 AM > >To: Declude.Virus@declude.com > >Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > > > > >Maybe, but you check the maillist history, quite a few servers have the > >same problem in the past 1.5 years. and the problem persists, if there is > >any virus or trojan, some antivirus program should can detect it now. > > > >I suspect this is a issue of imail webmail, that's why it bypass the > >declude. > > > > > > - Original Message - > > From: John T (Lists) <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Friday, December 09, 2005 4:15 PM > > Subject: RE: [Declude.Virus] Stranger... > > > > > > I do not think this is either an Imail or Declude issue, rather a > >server security issue, or rather a comprise of server security. > > > > > > > > Sounds like you have some type of virus or Trojan on that server. > > > > > > > > John T > > > > eServices For You > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > > Sent: Thursday, December 08, 2005 9:57 PM > > To: Declude.Virus@declude.com > > Subject: Re: [Declude.Virus] Stranger... > > > > > > > > Does any body find the answer of this problem? > > > > After 1.5 years, this problem still remain. > > > > and IPSWITCH never give me a clear answer about it. > > > > > > > > - Original Message - > > > > From: serge <mailto:[EMAIL PROTECTED]> > > > > To: Declude.Virus@declude.com > > > > Sent: Tuesday, June 08, 2004 7:46 AM > > > &g
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Brian, Did you have the SMTPWIN entry in your registry file with part of the From address that's used in your "recip.eml" file? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Saturday, December 10, 2005 10:17 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. > What I think it might be is a combination of several things and here are > some of the common things that I have with information gathered on the > different lists: > > Seems to of first started with IMail 8.x > Running Declude Pro, Virus (f-prot), Hijack 1.82 > Sober virus seems to trigger this event along with the recip.eml file > > IMail Client (Imail1.exe) will popup on the server with random address in > the To and CC field of the client. It seems that the message that is > trying > to be sent out is the contents of the recip.eml that Declude uses. > > Will see the registry changes with the SMTPWIN entry under the Users. It > seems that this entry is made if you use the IMail Client on the server. > In > our case the entries added are part of the email address used in the From > field of the recip.eml. > > The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS > Sober" in the "recip.eml" file. > > I'm not sure why it happens on only certain servers, but that's what we > have > found. I haven't been convinced that the server was hacked. Rebuilding the > servers may of corrected the problem, but still not sure the servers are > being hacked. > > Does anyone have the same common items having this problem? > > Thanks, > Mike > > > > ____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > Sent: Friday, December 09, 2005 9:33 AM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > > Maybe, but you check the maillist history, quite a few servers have the > same problem in the past 1.5 years. and the problem persists, if there is > any virus or trojan, some antivirus program should can detect it now. > > I suspect this is a issue of imail webmail, that's why it bypass the > declude. > > > - Original Message - > From: John T (Lists) <mailto:[EMAIL PROTECTED]> > To: Declude.Virus@declude.com > Sent: Friday, December 09, 2005 4:15 PM > Subject: RE: [Declude.Virus] Stranger... > > > I do not think this is either an Imail or Declude issue, rather a > server security issue, or rather a comprise of server security. > > > > Sounds like you have some type of virus or Trojan on that server. > > > > John T > > eServices For You > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > Sent: Thursday, December 08, 2005 9:57 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Stranger... > > > > Does any body find the answer of this problem? > > After 1.5 years, this problem still remain. > > and IPSWITCH never give me a clear answer about it. > > > > - Original Message - > > From: serge <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Tuesday, June 08, 2004 7:46 AM > > Subject: Re: [Declude.Virus] Stranger... > > > > i know imail1 is a command line mailer > > but how do i find what i causing the imail 1 window to be > open and filed with all these adresses ? > > see attached gif > > > > > > - Original Message - > > From: Darin Cox <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Monday, June 07, 2004 10:21 PM > > Subject: Re: [Declude.Virus] Stranger... > > > > Does this shed any light? > > > > http://support.ipswitch.com/kb/IM-19980119-DD10.htm > > > Darin. > > > > > > - Original Message - > > From: Serge <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Monday, June 07, 2004 3:55 PM > > Subject: [Declude.Virus] Stranger... > > > > hi all > > urgent help needed > > I have ima
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Marc, I have the same common items as yours so it's good to see it worked for you too. I would be interested if any Declude users that haven't had the imail1.exe pop-up's on the server and DO send the recip.eml messages for the Sober virus have the SMTPWIN entry in your registry with part of the From address. In Marc's example you would see users (if you use postmaster as the from address in the recip.eml) in the registry: p po post postmaster poastmaster@ This entry in my registry has stopped since I skip this virus notification. Thanks, Mike Windows 2000 Server Imail 8.15 HF2 Declude Virus Pro 1.82 F-Prot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of marc Sent: Saturday, December 10, 2005 7:29 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. Mike, thx for fix this problem with your suggestion adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file, this really helps! We had the same problem excatly 1 year before, posting here this problem and discuss on imailforum with no solution. Now after the new Sober flood two weeks ago, again all symptoms like your description, also new users was created like po, post, postma, postmaster, ... so i am sure this is a declude issue. Windows 2000 Server Imail 8.15 HF2 Declude Virus Standard 1.82 F-Prot Marc At 18:49 09.12.2005, you wrote: >What I think it might be is a combination of several things and here are >some of the common things that I have with information gathered on the >different lists: > >Seems to of first started with IMail 8.x >Running Declude Pro, Virus (f-prot), Hijack 1.82 >Sober virus seems to trigger this event along with the recip.eml file > >IMail Client (Imail1.exe) will popup on the server with random address in >the To and CC field of the client. It seems that the message that is trying >to be sent out is the contents of the recip.eml that Declude uses. > >Will see the registry changes with the SMTPWIN entry under the Users. It >seems that this entry is made if you use the IMail Client on the server. In >our case the entries added are part of the email address used in the From >field of the recip.eml. > >The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS >Sober" in the "recip.eml" file. > >I'm not sure why it happens on only certain servers, but that's what we have >found. I haven't been convinced that the server was hacked. Rebuilding the >servers may of corrected the problem, but still not sure the servers are >being hacked. > >Does anyone have the same common items having this problem? > >Thanks, >Mike > > > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >Sent: Friday, December 09, 2005 9:33 AM >To: Declude.Virus@declude.com >Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > >Maybe, but you check the maillist history, quite a few servers have the >same problem in the past 1.5 years. and the problem persists, if there is >any virus or trojan, some antivirus program should can detect it now. > >I suspect this is a issue of imail webmail, that's why it bypass the >declude. > > > - Original Message - > From: John T (Lists) <mailto:[EMAIL PROTECTED]> > To: Declude.Virus@declude.com > Sent: Friday, December 09, 2005 4:15 PM > Subject: RE: [Declude.Virus] Stranger... > > > I do not think this is either an Imail or Declude issue, rather a >server security issue, or rather a comprise of server security. > > > > Sounds like you have some type of virus or Trojan on that server. > > > > John T > > eServices For You > > > > -Original Message- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > Sent: Thursday, December 08, 2005 9:57 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Stranger... > > > > Does any body find the answer of this problem? > > After 1.5 years, this problem still remain. > > and IPSWITCH never give me a clear answer about it. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Hi, Mike You are really helpful! I've incerted the SKIPIFVIRUSNAMEHAS Sober 10 hours before, and the problem seems disapear! I'll keep monitor it and let you know the result. Once again, thank you ! Regards Brian - Original Message - From: "Mike Wiegers" <[EMAIL PROTECTED]> To: Sent: Saturday, December 10, 2005 1:49 AM Subject: RE: [Declude.Virus] Stranger... about imail1.exe be hijacked. What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Mike, thx for fix this problem with your suggestion adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file, this really helps! We had the same problem excatly 1 year before, posting here this problem and discuss on imailforum with no solution. Now after the new Sober flood two weeks ago, again all symptoms like your description, also new users was created like po, post, postma, postmaster, ... so i am sure this is a declude issue. Windows 2000 Server Imail 8.15 HF2 Declude Virus Standard 1.82 F-Prot Marc At 18:49 09.12.2005, you wrote: >What I think it might be is a combination of several things and here are >some of the common things that I have with information gathered on the >different lists: > >Seems to of first started with IMail 8.x >Running Declude Pro, Virus (f-prot), Hijack 1.82 >Sober virus seems to trigger this event along with the recip.eml file > >IMail Client (Imail1.exe) will popup on the server with random address in >the To and CC field of the client. It seems that the message that is trying >to be sent out is the contents of the recip.eml that Declude uses. > >Will see the registry changes with the SMTPWIN entry under the Users. It >seems that this entry is made if you use the IMail Client on the server. In >our case the entries added are part of the email address used in the From >field of the recip.eml. > >The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS >Sober" in the "recip.eml" file. > >I'm not sure why it happens on only certain servers, but that's what we have >found. I haven't been convinced that the server was hacked. Rebuilding the >servers may of corrected the problem, but still not sure the servers are >being hacked. > >Does anyone have the same common items having this problem? > >Thanks, >Mike > > > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com >Sent: Friday, December 09, 2005 9:33 AM >To: Declude.Virus@declude.com >Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. > > >Maybe, but you check the maillist history, quite a few servers have the >same problem in the past 1.5 years. and the problem persists, if there is >any virus or trojan, some antivirus program should can detect it now. > >I suspect this is a issue of imail webmail, that's why it bypass the >declude. > > > - Original Message - > From: John T (Lists) <mailto:[EMAIL PROTECTED]> > To: Declude.Virus@declude.com > Sent: Friday, December 09, 2005 4:15 PM > Subject: RE: [Declude.Virus] Stranger... > > > I do not think this is either an Imail or Declude issue, rather a >server security issue, or rather a comprise of server security. > > > > Sounds like you have some type of virus or Trojan on that server. > > > > John T > > eServices For You > > > > -Original Message- > From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com > Sent: Thursday, December 08, 2005 9:57 PM > To: Declude.Virus@declude.com > Subject: Re: [Declude.Virus] Stranger... > > > > Does any body find the answer of this problem? > > After 1.5 years, this problem still remain. > > and IPSWITCH never give me a clear answer about it. > > > > - Original Message - > > From: serge <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Tuesday, June 08, 2004 7:46 AM > > Subject: Re: [Declude.Virus] Stranger... > > > > i know imail1 is a command line mailer > > but how do i find what i causing the imail 1 window to be >open and filed with all these adresses ? > > see attached gif > > > > > > - Original Message - > > From: Darin Cox <mailto:[EMAIL PROTECTED]> > > To: Declude.Virus@declude.com > > Sent: Monday, June 07, 2004 10:21 PM > > Subject: Re: [Declude.Virus] Stranger... > > > > Does this shed any light? > > > > http://support.ipswitch.com/kb/IM-19980119-DD10.htm > > > Darin. > > > > > >
RE: [Declude.Virus] Stranger... about imail1.exe be hijacked.
What I think it might be is a combination of several things and here are some of the common things that I have with information gathered on the different lists: Seems to of first started with IMail 8.x Running Declude Pro, Virus (f-prot), Hijack 1.82 Sober virus seems to trigger this event along with the recip.eml file IMail Client (Imail1.exe) will popup on the server with random address in the To and CC field of the client. It seems that the message that is trying to be sent out is the contents of the recip.eml that Declude uses. Will see the registry changes with the SMTPWIN entry under the Users. It seems that this entry is made if you use the IMail Client on the server. In our case the entries added are part of the email address used in the From field of the recip.eml. The way we stopped this from happening was adding the "SKIPIFVIRUSNAMEHAS Sober" in the "recip.eml" file. I'm not sure why it happens on only certain servers, but that's what we have found. I haven't been convinced that the server was hacked. Rebuilding the servers may of corrected the problem, but still not sure the servers are being hacked. Does anyone have the same common items having this problem? Thanks, Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Friday, December 09, 2005 9:33 AM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... about imail1.exe be hijacked. Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.com Sent: Thursday, December 08, 2005 9:57 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge <mailto:[EMAIL PROTECTED]> To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Stranger... about imail1.exe be hijacked.
Title: Strange... Maybe, but you check the maillist history, quite a few servers have the same problem in the past 1.5 years. and the problem persists, if there is any virus or trojan, some antivirus program should can detect it now. I suspect this is a issue of imail webmail, that's why it bypass the declude. - Original Message - From: John T (Lists) To: Declude.Virus@declude.com Sent: Friday, December 09, 2005 4:15 PM Subject: RE: [Declude.Virus] Stranger... I do not think this is either an Imail or Declude issue, rather a server security issue, or rather a comprise of server security. Sounds like you have some type of virus or Trojan on that server. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crejob.comSent: Thursday, December 08, 2005 9:57 PMTo: Declude.Virus@declude.comSubject: Re: [Declude.Virus] Stranger... Does any body find the answer of this problem? After 1.5 years, this problem still remain. and IPSWITCH never give me a clear answer about it. - Original Message - From: serge To: Declude.Virus@declude.com Sent: Tuesday, June 08, 2004 7:46 AM Subject: Re: [Declude.Virus] Stranger... i know imail1 is a command line mailer but how do i find what i causing the imail 1 window to be open and filed with all these adresses ? see attached gif - Original Message - From: Darin Cox To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 10:21 PM Subject: Re: [Declude.Virus] Stranger... Does this shed any light? http://support.ipswitch.com/kb/IM-19980119-DD10.htm Darin. - Original Message - From: Serge To: Declude.Virus@declude.com Sent: Monday, June 07, 2004 3:55 PM Subject: [Declude.Virus] Stranger... hi all urgent help needed I have imail1 client window ("create mail message") pop up on my server with all kind of real and strange addresses in the TO: and CC: Fields. The windows remains open on the server desktop. Is this a virus ? how can i identify the service/virus/application causing this ? TIA