Darrell, The way that I read it the incoming mail is tripping the Intrusion Prevention mechanism. So I am thinking that the sending server is trying to do something bad or has something wrong with the message.
But know that I am writing this perhaps the firewall is protecting my "sendmail" server from this incoming message that would cause it grief. If it is the second case then I could disable that Intrusion Prevention test since I do not have a sendmail server. Goran Jovanovic Omega Network Solutions -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, November 05, 2005 10:34 PM To: [email protected] Subject: Re: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo The only question I would look into is if you ever seen a legit mail fail that test. Goran was that mail legit - if so I would turn the function off since you are not running sendmail. Darrell ------------------------------------------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. ----- Original Message ----- From: "Evans Martin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Saturday, November 05, 2005 5:09 PM Subject: RE: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo > This exploit appears to be unique to SendMail. I would probably allow it > and let Declude categorize it. What do you guys think? > > Evans Martin > http://www.martekware.com > iPlus Info Browser - The ultimate IMail administrative suite! > > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- >> [EMAIL PROTECTED] On Behalf Of Goran Jovanovic >> Sent: Saturday, November 05, 2005 1:34 PM >> To: [email protected] >> Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer- >> Encoding error from Yahoo >> >> Hi, >> >> I have a SonicWALL firewall in front of my mail server. It has its >> Intrusion Protection Service turned on. Now I am getting an alert from >> the firewall: >> >> 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS >> Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: >> 743, Priority: Medium - 209.191.68.173, >> >> Which points to: >> >> 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. >> >> And when I look up the SMTP error this is what it says >> >> The prescan() function in the address parser (parseaddr.c) in Sendmail >> before 8.12.9 does not properly handle certain conversions from char and >> int types, which can cause a length check to be disabled when Sendmail >> misinterprets an input value as a special "NOCHAR" control value, >> allowing attackers to cause a denial of service and possibly execute >> arbitrary code via a buffer overflow attack using messages, a different >> vulnerability than CAN-2002-1337. >> >> References >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 >> http://www.cert.org/advisories/CA-2003-12.html >> >> >> Since the firewall rejects it at the perimeter it never makes it to >> IMail/Declude. >> >> Obviously some piece of mail is trying to come in and failing. Does >> anyone else have any experience about this type of a problem? I can just >> ignore it and it will finally go away but I am sort of surprised that a >> Yahoo mail server would have this vulnerability when there is a patch >> for it. >> >> Any thoughts on this? >> >> Thanks >> >> Goran Jovanovic >> Omega Network Solutions >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.JunkMail". The archives can be found >> at http://www.mail-archive.com. >> --- >> [This E-mail scanned for viruses by Declude Virus] > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
