Back to Community Threads
I think we're compromised - anyone else experience this?
Problem reported by Aaron Gibbs - 2/5/2026 at 5:47 PM
Submitted
A
We're running build 9518 and have been since a day or two after it was released.

Today I got a Windows Defender alert. It was for an exploit named Exploit:O97M/CVE-2017-11882.SA!MSR which appears to be for old Office versions. The expoit was found in the /SmarterMail/Service/MailService.exe.

I RDP'd into the server and found a dozen instances of Notepad standing open on the desktop. All of them are random filenames like rpcgqf_0.txt with one word "test" in the filename. They're all in the /Start Menu/Programs/Startup folder.

Ran a quick search on the machine and found dozens of similarly named .aspx files located in various system folders (/Windows, /Windows/System32, /Inetpub, etc.). The earliest dates are from back on Jan 9 so a couple weeks before the patch was released.

Am I cooked? Anyone else seen this? How did you handle?  I'm about to just burn this server down and setup a fresh SmarterMail instance on a new box
J
J. LaDow Replied
2/5/2026 at 7:58 PM
I would. The machine's been fully compromised for close to 4 weeks. If it's opening things on startup, then there's no telling what else it's done at startup that erased itself.

Make sure to rotate out passwords as well as they've most likely been seen or downloaded.
MailEnable survivor / convert --
MattyT Replied
2/6/2026 at 9:26 AM
I feel like I dodged a bullet in that during late December/early January I was preparing to deploy a new server anyway. So, right around the time of these CVE issues I was ready to pull the trigger and migrate, which I did. 

Aside from the mail flow disruption of moving to a new server, in your case it might be the better solution seeing how you're already dealing with mail disruption or even worse. If you haven't done it, definitely change the admin account to a different username. It's too late for the compromised server, though, for a different admin username to help now. With the potential for rootkits and who-knows-what that might be hiding in there, new server is most likely the best solution. Trying to stamp out whatever might be hiding is the far riskier approach.

On your new server, you definitely should look into a good IDS/IPS platform installed on the endpoint server. Attempting to do IDS/IPS at the firewall in front of the server, although not a bad idea, doesn't intercept encrypted data as firewall IDS can't inspect encrypted packets, where much of the bad actor traffic is hiding until it gets to the endpoint.
rick Replied
2/6/2026 at 11:45 AM
Yes, you are breached.
I think what a lot of people misunderstand is that the attacks on Smartermail are not all viruses, so therefore an antivirus program isn't likely to catch it. If some got in and was executed to give remote access or control, nothing wrong with that in antivirus eyes.
We highly recommend Threatlocker. Nothing runs unless you approve it.
In the case with the early Smartermail breach, I think mailservice.exe was executing for the hacker and unless you have Ringfencing enabled on mailservice.exe, since mailservice.exe was trusted... the hacker might have been able to do some limited things. But if you Ringfence mailservice.exe (don't allow it to run rundll32, cmd, powershell, cscript, etc... the hacker's ability to function would be severely limited.
Best thing about Threatlocker is the logging. You can take a few days worth of logs and upload to ChatGPT and ask it to figure out what happened, and how... etc.
echoDreamz Replied
2/6/2026 at 5:37 PM
It is also time for SmarterTools to update the installer as well as documentation on getting SmarterMail to not run as the SYSTEM user and the proper permissions that need to exist on data directories etc.
J
Jay Dubb Replied
2/9/2026 at 7:40 AM
+1  on running NOT as System.  In 2026 it's hard to imagine software still running (by default) with system-level privileges for anything that is not kernel or related.
 
A
Aaron Gibbs Replied
2/9/2026 at 9:43 AM
It is also time for SmarterTools to update the installer as well as documentation on getting SmarterMail to not run as the SYSTEM user and the proper permissions that need to exist on data directories etc.
This most definitely!
C
Carl Morris Replied
2/13/2026 at 6:36 PM
It is also time for SmarterTools to update the installer as well as documentation on getting SmarterMail to not run as the SYSTEM user and the proper permissions that need to exist on data directories etc.
And stop storing service written files in the `Program Files` folders.

I set up a limited user account (that is not part of Users group), and relocated the Service's settings and the app_data folders to the `X:\Smarter Mail` folder instead.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Changing Ownership of SmarterMail on Linux: A Step-by-Step GuideSmarterMail > Server Configuration and Management
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Cannot Send Email MessagesSmarterMail > Troubleshooting
SmarterTools Licensing InformationGeneral Topics