Hi, Goran-
I had a Sonic Wall firewall also, and I had to enable a bunch of stuff they
thought was dangerous - like Front Page uploads, which is important to me
since I host a lot of Front Page sites.
This sounds like this might be another case of Sonic Wall being cautious by
default. You might have a sendmail server, so we will protect you whether it
applies to you or not. In fairness, this is what a firewall is supposed to
do, so they aren't wrong, I just spent a ton of time fixing stuff on that
box. When I moved recently, I replaced it with a Cisco Pix box and have had
no such problems.
-Dave Doherty
Skywaves, Inc.
----- Original Message -----
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, November 05, 2005 2:33 PM
Subject: [Declude.JunkMail] OT: Firewall detecting a
Content-Transfer-Encoding error from Yahoo
Hi,
I have a SonicWALL firewall in front of my mail server. It has its
Intrusion Protection Service turned on. Now I am getting an alert from
the firewall:
11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS
Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID:
743, Priority: Medium - 209.191.68.173,
Which points to:
209.191.68.173 PTR record: web34809.mail.mud.yahoo.com.
And when I look up the SMTP error this is what it says
The prescan() function in the address parser (parseaddr.c) in Sendmail
before 8.12.9 does not properly handle certain conversions from char and
int types, which can cause a length check to be disabled when Sendmail
misinterprets an input value as a special "NOCHAR" control value,
allowing attackers to cause a denial of service and possibly execute
arbitrary code via a buffer overflow attack using messages, a different
vulnerability than CAN-2002-1337.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161
http://www.cert.org/advisories/CA-2003-12.html
Since the firewall rejects it at the perimeter it never makes it to
IMail/Declude.
Obviously some piece of mail is trying to come in and failing. Does
anyone else have any experience about this type of a problem? I can just
ignore it and it will finally go away but I am sort of surprised that a
Yahoo mail server would have this vulnerability when there is a patch
for it.
Any thoughts on this?
Thanks
Goran Jovanovic
Omega Network Solutions
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
