The only question I would look into is if you ever seen a legit mail fail
that test.
Goran was that mail legit - if so I would turn the function off since you
are not running sendmail.
Darrell
-------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI
integration, MRTG Integration, and Log Parsers.
----- Original Message -----
From: "Evans Martin" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, November 05, 2005 5:09 PM
Subject: RE: [Declude.JunkMail] OT: Firewall detecting a
Content-Transfer-Encoding error from Yahoo
This exploit appears to be unique to SendMail. I would probably allow it
and let Declude categorize it. What do you guys think?
Evans Martin
http://www.martekware.com
iPlus Info Browser - The ultimate IMail administrative suite!
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Saturday, November 05, 2005 1:34 PM
To: [email protected]
Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-
Encoding error from Yahoo
Hi,
I have a SonicWALL firewall in front of my mail server. It has its
Intrusion Protection Service turned on. Now I am getting an alert from
the firewall:
11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS
Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID:
743, Priority: Medium - 209.191.68.173,
Which points to:
209.191.68.173 PTR record: web34809.mail.mud.yahoo.com.
And when I look up the SMTP error this is what it says
The prescan() function in the address parser (parseaddr.c) in Sendmail
before 8.12.9 does not properly handle certain conversions from char and
int types, which can cause a length check to be disabled when Sendmail
misinterprets an input value as a special "NOCHAR" control value,
allowing attackers to cause a denial of service and possibly execute
arbitrary code via a buffer overflow attack using messages, a different
vulnerability than CAN-2002-1337.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
http://www.cert.org/advisories/CA-2003-12.html
Since the firewall rejects it at the perimeter it never makes it to
IMail/Declude.
Obviously some piece of mail is trying to come in and failing. Does
anyone else have any experience about this type of a problem? I can just
ignore it and it will finally go away but I am sort of surprised that a
Yahoo mail server would have this vulnerability when there is a patch
for it.
Any thoughts on this?
Thanks
Goran Jovanovic
Omega Network Solutions
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
