Darin, Ver 8.22 vulnerability patch has a bug. The following is a sample Q file. ============================== QC:\IMAIL\spool\D144b019300006079.SMD Hmail.mathbox.com I144b019300006079 WC:\IMAIL\mail.mathbox.com E0, [EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] Rfh@ <mailto:[EMAIL PROTECTED]> customerdomain.com ==============================
Note the "%s" instead of the sender domain. The email message looks normal. When Declude v3.1.3 tried to process the message, Declude would hang (not crash). Processor usage dropped to nearly zero. Could not stop/restart the Declude process. That sender sent about 10 messages to the same customer today, before I figured out what was going on. Declude hung on each one.Then I blocked the sender's IP address. I was able to save one original SMD file and its matching Q file. The SMD file is US ASCII plain text, no MIME sections, no attachment and is less than 2K.. An absolutely plain vanilla message. The log file contains interesting information: 02:14 08:53 SMTPD(144b019300006079) [63.150.236.14] connect 64.21.55.1 port 58070 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] HELO nrouter.hsix.com 02:14 08:53 SMTPD(144b019300006079) Percent (%) characters replaced with asterisks (*) in following entry 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] MAIL FROM:<[EMAIL PROTECTED]> 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] RCPT TO:<[EMAIL PROTECTED]> 02:14 08:53 SMTPD(144b019300006079) [x] looking up customerdomain.com in HOSTS 02:14 08:53 SMTPD(144b019300006079) [64.21.55.1] C:\IMAIL\spool\D144b019300006079.SMD 2030 02:14 08:53 SMTPD(144b019300006079) performing antispam checks So it looks like the sending SMTP's conversation contained the "%s" I do not know why SMTP produced that Q file. It should have rejected the message. I mean how do you deliver to a domain named "%s"? The percent character is not valid in domain names. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free)
