This exploit appears to be unique to SendMail. I would probably allow it and let Declude categorize it. What do you guys think?
Evans Martin http://www.martekware.com iPlus Info Browser - The ultimate IMail administrative suite! > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Goran Jovanovic > Sent: Saturday, November 05, 2005 1:34 PM > To: Declude.JunkMail@declude.com > Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer- > Encoding error from Yahoo > > Hi, > > I have a SonicWALL firewall in front of my mail server. It has its > Intrusion Protection Service turned on. Now I am getting an alert from > the firewall: > > 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS > Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: > 743, Priority: Medium - 209.191.68.173, > > Which points to: > > 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. > > And when I look up the SMTP error this is what it says > > The prescan() function in the address parser (parseaddr.c) in Sendmail > before 8.12.9 does not properly handle certain conversions from char and > int types, which can cause a length check to be disabled when Sendmail > misinterprets an input value as a special "NOCHAR" control value, > allowing attackers to cause a denial of service and possibly execute > arbitrary code via a buffer overflow attack using messages, a different > vulnerability than CAN-2002-1337. > > References > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 > http://www.cert.org/advisories/CA-2003-12.html > > > Since the firewall rejects it at the perimeter it never makes it to > IMail/Declude. > > Obviously some piece of mail is trying to come in and failing. Does > anyone else have any experience about this type of a problem? I can just > ignore it and it will finally go away but I am sort of surprised that a > Yahoo mail server would have this vulnerability when there is a patch > for it. > > Any thoughts on this? > > Thanks > > Goran Jovanovic > Omega Network Solutions > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.