> > The only question I would look into is if you ever seen a legit mail fail > that test.
Do not know as this is a new firewall with new Intrusion Prevention Service on it. > > Goran was that mail legit - if so I would turn the function off since you > are not running sendmail. Don't know if it was legit since it never made it past the firewall. > Darrell > > ------------------------------------------- > Check out http://www.invariantsystems.com for utilities for Declude And > Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, > SURBL/URI > integration, MRTG Integration, and Log Parsers. > ----- Original Message ----- > From: "Evans Martin" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Saturday, November 05, 2005 5:09 PM > Subject: RE: [Declude.JunkMail] OT: Firewall detecting a > Content-Transfer-Encoding error from Yahoo > > > > This exploit appears to be unique to SendMail. I would probably allow > it > > and let Declude categorize it. What do you guys think? > > > > Evans Martin > > http://www.martekware.com > > iPlus Info Browser - The ultimate IMail administrative suite! > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > >> [EMAIL PROTECTED] On Behalf Of Goran Jovanovic > >> Sent: Saturday, November 05, 2005 1:34 PM > >> To: [email protected] > >> Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer- > >> Encoding error from Yahoo > >> > >> Hi, > >> > >> I have a SonicWALL firewall in front of my mail server. It has its > >> Intrusion Protection Service turned on. Now I am getting an alert from > >> the firewall: > >> > >> 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS > >> Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: > >> 743, Priority: Medium - 209.191.68.173, > >> > >> Which points to: > >> > >> 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. > >> > >> And when I look up the SMTP error this is what it says > >> > >> The prescan() function in the address parser (parseaddr.c) in Sendmail > >> before 8.12.9 does not properly handle certain conversions from char > and > >> int types, which can cause a length check to be disabled when Sendmail > >> misinterprets an input value as a special "NOCHAR" control value, > >> allowing attackers to cause a denial of service and possibly execute > >> arbitrary code via a buffer overflow attack using messages, a different > >> vulnerability than CAN-2002-1337. > >> > >> References > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 > >> http://www.cert.org/advisories/CA-2003-12.html > >> > >> > >> Since the firewall rejects it at the perimeter it never makes it to > >> IMail/Declude. > >> > >> Obviously some piece of mail is trying to come in and failing. Does > >> anyone else have any experience about this type of a problem? I can > just > >> ignore it and it will finally go away but I am sort of surprised that a > >> Yahoo mail server would have this vulnerability when there is a patch > >> for it. > >> > >> Any thoughts on this? > >> > >> Thanks > >> > >> Goran Jovanovic > >> Omega Network Solutions > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> --- > >> [This E-mail scanned for viruses by Declude Virus] > > > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
