I have SMTP Proxy and IPS on.
This morning I noticed about 100 emails in SMTP spool. My SMTP server's log reports a lot of winsock errors and IPS log reports about 1000 attacks like this:
2014:05:12-12:10:51 FIREWALLNAME snort[26883]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-MAIL Metamail header length exploit attempt" group="500" srcip="DMZ_UTM_IP_ADDRESS" dstip="MAIL_SERVER_IP_ADDRESS" proto="6" srcport="34661" dstport="25" sid="22114" class="Attempted Administrator Privilege Gain" priority="1" generator="1" msgid="0"
After deleting 96 emails, remained only 4 legitimate email. Also in this case the emails were not sent to internal mail server. So I disabled IPS, and the emails were successfully sent.
Ok, it may happen to run into a false positive, but what I cannot understand is: considering that this attack affects the header of a mail (and it should be analized by SMTP proxy) why IPS didn't block the connection between remote server and SMTP proxy? In that case, the inconveniences caused by false positive affects only a specific email and does not block all incoming email...
This thread was automatically locked due to age.
