It's all sorted [:D]

Turns out that it was just the password stuff in Mercury that had become corrupted - new password setting - job done.

Can't believe I have spent 5 days driving myself (and everyone else) mad over this.

Thanks again and hopefully back to another happy and trouble free five years of Mercury & Pegasus.
Oh! and once you sort out the licensing stuff - 5 mailboxes here please

Lynn
 

I have used Mercury and Pegasus for years now and suddenly my emails are not getting through.

I can send but can no longer receive.

I am running Windows server 2000 and nothing has been altered  in months.

I cannot get in touch with the person who usually administers my network / mercury / pegasus etc.

Hope someone there can help diagnose what has gone wrong.

Lynn

PS Sorry if I may have posted in the wrong place, please re-direct me to the correct place please 

Need more information,

With the limited info provided one possibillity is your ISP is NOW blocking port 25, easiest way to find out is contact them and ask

I'm sorry Lynn, but we would need a bit more detail on how your system is setup before we could give you an idea of how to fix the problem.  Your quickest way would be to get hold of your network administrator who setup the system as they know what modules, etc that your system is using.  One thing that you could try is to restart the Mercury/32 program if you have access to the server computer that it is running on.

Thank you for trying to help with next to no information.

Unfortunately I cannot get hold of the person who set everything up.

I have tried rebooting Mercury (and also the server) many times as that what usually sorts out  any previous problems but not this time.

I have had to have my emails sent to a yahoo mail box for now but this is far from ideal. 

Can you let me know what info you need to help me try and get my mail coming back into Mercury/Pegasus? 

Thank you.

Lynn 

[quote user="LynnL"] I can send but can no longer receive.[/quote]

 Ok, lets start from the beginning:
What modules of Mercury are you running?

Hi Peter
Hope this is what you mean:
These are what are showing as active when I click on 'window' in Mercury:

Mercury Core Process
Mercury SMPT server
Mercury POP3 server
Mercury SMTP client (end to end process)
MercuryX scheduling module
Mercury IMAP4 server

I tried using the command prompt to:

I did phone my ISP (plusnet) who said they were not blocking ports and they had not done any maintainance etc around the time the problem happened).

I tried using the command prompt to:
telnet domain.com 25
telnet domain 110

Nothing seemed to be blocked and I could see the server was ready and waiting on both ports

I have Mercury running on Windows 2000 server
Pegasus is also running on the server as well as on 6 workstations all running XP

The problem started around 5pm on Tuesday the 15th of May and I have been looking at the server logs to try and fathom out what went wrong around that time.

The virus checker on the server was McAfee (more about this later) and the server logs show that McAfee (Network Associates) tried to install something new around that time
 

 I have been trying to fathom out what some of the messages on the server logs mean:
Looking at the DNS server log:

AT 16:24 it shows:
The DNS server encountered a bad packet from 192.43.172.30.  Packet processing leads beyond packet length.

On the Application log:

At 5pm exactly:
WebShield SMTP Service - AutoUpdate about to install new version  

At 5:01pm
WebShield SMTP Service - Shutdown request for Network Associates Inc. WebShield SMTP MailScan Service  

WebShield SMTP Service - Startup request for Network Associates Inc. WebShield SMTP MailScan Service  

WebShield SMTP Service - Parent Scan engine failed to initialize 

WebShield SMTP Service - Shutdown request for Network Associates Inc. WebShield SMTP MailScan Service

At 5:02pm
The description for Event ID ( 5000 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: 256731, None, None, None, VirusScan Enterprise, 5.1.00, 5031.

On the 16th of May around 4pm, thinking that McAfee was responsible and was blocking something, I uninstalled it, rebooted the server, rebooted Mercury but emails still did not arrive.
Not wanting to be without any virus check I then installed Nod32

On the 17th of May I requested the host of my domain name to redirect my emails to a yahoo mailbox.
This proved impossible to handle so they have set them up as POP3 but as we have so many email address and so many mail boxes in Pegasus this is also impossible to handle.

Last night Nod32 started to show virus attempt logs and I was amazed to find that even though McAfee had been uninstalled, some part of it was still trying to do updates etc:

Time    Module    Object    Name    Threat    Action    User    Information
18/05/2007 09:09:52    AMON    file    C:\Program Files\Network Associates\TVD\WebShield SMTP\AutoUpdate\scan.dat    probably unknown SCRIPT virus    quarantined - deleted        Event occurred on a file modified by the application: C:\Program Files\Network Associates\TVD\WebShield SMTP\frontend.exe. The file was moved to quarantine. You may close this window.
(lots more of these but exactly the same just different times).

 I then looked in the TVD\WebShield folder and everything seems to be around the year 2004 except for in the 'deferred' folder where it shows the following:

files which just contain copies of email addresses, the last one being in november 2004 and then starting on the 12th of May 2007 it starts to show files which contain copies of what appear to spam emails, there are hundreds of these.
The last file showing a spam email appears at 16:41 and that email is a failed spam multi-part email, using notepad to view it the very last line is:

/dKjq9AwPdM0XdNMkLuSO9I2LQouvdM+/dO4GAQAOw==
------=_NextPart_000_000B_01C79718.4290E5B0--

After that the 'deferred' folder contains hundreds of .log and .rcp files of which I have shown the first and last ones to appear:

File date: 15th May 2007 16:45
Log file contains:
[DeferFailureLog]
LastReason=Mail Server is down or unreachable. error: 10060
LastReasonCode=1001
Sat May 12 20:36:26 2007=Mail Server is down or unreachable. error: 10060
(above is repeated until: the last few lines show:
Tue May 15 14:29:43 2007=Mail Server is down or unreachable. error: 10061
Tue May 15 16:45:56 2007=Mail Server is down or unreachable. error: 10060

 There are again hundreds of logs all on the 15th of may with the last one being:

[DeferFailureLog]
LastReason=Requested action aborted: Network socket error (10020). [SMTP Error Code 442]
LastReasonCode=442
Tue May 15 07:53:23 2007=Requested action aborted: Network socket error (10020). [SMTP Error Code 442]
(above message repeated but the last few lines are):
Tue May 15 15:53:53 2007=Mail Server is down or unreachable. error: 10060
Tue May 15 17:01:02 2007=Requested action aborted: Network socket error (10020). [SMTP Error Code 442]

I am sorry to have posted so much but I simply do not know what is applicable and what is irrelevent.
If you can make any sense out of any of this I would really appreciate it.

Lynn

You most likely need to localize the WebShield SMTP residues and manually uninstall all parts and hooks.

If you take a quick glance at the registry looking at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

double click each item, PackedCatalogItem, and you'll see what hooks are laid upon your tcp-services.

In a completely clean XP/2003 install you should have values similar to: %SystemRoot%\system32\mswsock.dll
and %SystemRoot%\system32\rpvpsp.dll

and nothing else. Now DO NOT REMOVE anything just yet, just let me know if something else is in there.

Thank you for being so clear about that Peter.

There are 19 different PackedCatalogItem

Clicking on each of them brings up a small box which has 'Edit Binary Item' on the top and is full of  hundreds of lines of numbers, letters and zero's but nothing like you describe and they all seem to have over 200 lines of data in each (think this is hexadecimal).

 I have tried to copy these but copy and paste will not work.

Any suggestions?
Lynn

Sorry forgot to mention: You couble click the binary to see the encoded text inside.

 Hi again Peter
I think I must be misunderstanding because I have tried double clicking everything but nothing seems to work.

Just to be sure I am doing this right:

I navigate to:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

Inside are 19  folders the first folder being \000000000001
 Double clicking on the first one opens up in the right hand window:

Default    REG_SZ     (value not set) - clicking on default opens a box which is empty with a space to enter data value
PackedCatalogItem    REG_BINARY   43 3a 5c 77 69 6e 6e 7465 6d 33 32........

Double clicking on  PackedCatalogItem opens up a box with the headings:
Edit Binary Code
Value Name
PackedCatalogItem
Value Data

Inside the box are all the numbers, letters and zeros as described previously.

Double clicking just highlights some of the data inside the box.

Could this be because my OS is 2000 and not xp/2003?

Lynn 

Like this?

Yes Peter like that but all 19 of those have around 200 to 300 lines and they are all full of data, not just zeros, some contain what look to be country codes and others seem to have bits of email addresses in them.

Not a simple one this then?
Lynn
 

On a clean system there shouldn't be any values except the ones I listed. For a W2K system try this:

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5066

For more background look at: http://community.pmail.com/blogs/pis/archive/2007/04/02/malware-from-hell.aspx

and: http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-122496

Oh! Poo!
I've just had a quick read on all three of the links you sent.
So you think it was malware of some kind that caused the problem?
If so, think I'd better start with that, I've still got an internet connection on the server but do not have a second PC runner Windows Server 2000 [:(].

A tip of where to start would be great and thanks again for all your help.
I know I've got a lot of work ahead of me but would never have had a chance of sorting it without your help and this board.

Lynn
 

[quote user="LynnL"] So you think it was malware of some kind that caused the problem?[/quote]

No, most likely it is the WebShield residues, but it probably behaves like malware (ie intercepts the traffic)

A tcp/ip stream to the pc follows these hooks in chronological order. So if the counter says there should be 14, but you only have 13 - the winsock layer 3 never turns the data stream over to layer 4 for processing, and nothing will work. You can make a backup of your registry path/key for the entire winsock section. Verify the backup, and then start deleting items you believe has nothing to do with your services. For all I know, you can strip down all items except the items stating wsock.dll, or some other dll that has the Microsoft brand on it (most likely you can trust these). Remember to keep the chronological order - if you delete item 13, you must move all items after 14 down one notch. Most effective way to do this is probably to make the backup, edit a copy of this in notepad or wordpad, delete the key/pairs and then import the edited registry key/pairs as a batch.

If you want to take the more careful approach, delete any key/pairs that you can't locate a dll for or that the dll info states webshield company something.

Think I am now out of my depth Peter.
I can run  deep virus scan and  the  run the rootkey thingy but  the rest  of what you put has me totally stumped.
Hate to give up but I may just have to turn this over to someone who knows what they are doing but, just in case I'm wrong I've put below what I don't understand in the hope you can give me a glimmer of what it all means.
Thanks again though.

Lynn 

[quote user="Peter Strömblad"]

[quote user="LynnL"] So you think it was malware of some kind that caused the problem?[/quote]

No, most likely it is the WebShield residues, but it probably behaves like malware (ie intercepts the traffic)

I only deleted the McAfee virus checker two days after the problem started 

A tcp/ip stream to the pc follows these hooks in chronological order.

I have no idea what a tcp/ip stream is

So if the counter

would love to know where/what the counter is
says there should be 14, but you only have 13

14 or 13 what? 

- the winsock layer 3 never turns the data stream over to layer 4 for processing, and nothing will work.

As you may have guessed.... this post has gone completely over my head 

You can make a backup of your registry path/key for the entire winsock section. Verify the backup, and then start deleting items you believe has nothing to do with your services.

Items? do you mean the ones ending with 00000001 000000002 etc? 

For all I know, you can strip down all items except the items stating wsock.dll, or some other dll that has the Microsoft brand on it (most likely you can trust these). Remember to keep the chronological order - if you delete item 13, you must move all items after 14 down one notch

Okay! I understand the re-numbering bit 

. Most effective way to do this is probably to make the backup, edit a copy of this in notepad or wordpad, delete the key/pairs and then import the edited registry key/pairs as a batch.

Key/pairs? er! duh! <scratches head>

If you want to take the more careful approach, delete any key/pairs that you can't locate a dll for or that the dll info states webshield company something.

I would if I knew what a key/pair was 

the 14 or 13 counter, ....  - I was referring to the value within:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

This Value should match the count of items inside:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

The items starts with:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

and ends with (in my case):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000039

meaning I have 39 items, so the Reg_DWORD value Num_Catalog_Entries reads: 0x00000027 with is hexadecimal code, for the decimal value 39.

Yes you deleted the antivirus program two days after, but your log (if I don't remember wrong) failed in an update causing your troubles. Then there are most likely residues intercepting your traffic, since you can connect via telnet to port 25. So something is catching the traffic as it flows, (this is the tcp/ip stream), and prevents Mercury from reading getting all the data.

Yes you are correct, there was a failed update.

Thank you again for all your help, if ever I get this working again I will let you know.

Lynn 

Come on, fight the beast!