IMail account hijack

The remote host is running IMail web interface. In this version, the session is maintained via the URL. It will be disclosed in the Referer field if you receive an email with external links (e.g. images)
Upgrade to IMail 7.06 or turn off the 'ignore source address in security check' option.