IPS - lots of "Reject Receiver" on mail servers communication
Some users message me that not all emails coming in and out.
I found that in logs have alot of:
signature ID 111646 - Ipswitch IMail Server List Mailer imailsrv.exe Buffer-Overflow Vulnerability with action Reject Receiver on communication between my local mail server and ISP mail server when receiving emails.
Also found some signature id 119233 Microsoft Media Services DoS -3 when sending emails.
I think its false alarm.
Is there any way to exclude these servers from IPS checking?
0
All Replies
-
Hi @Przemek,
You can add IP exception in "CONFIGURATION > Security service > IP Exception" or bypass signature ID at "CONFIGURATION > Security service > IPS > Allow list".
Can you send me packets capture in PM when it hit rule ID 111646 or 119233.
We would like to check if it is false positive.
0 -
Not to hijack this thread but we are having the same issue with emails from FreshDesk. How does Signature # 111646 decide what emails to block? Is it based on headers or something else?
https://threatintelligence.zyxel.com/idp/search?q=111646
Also, the page linked above indicates that the signature release date was 2022-08-08. This thread is from January 2022. When I finally found that the Zyxel was blocking traffic, this confused me as we have been having trouble for months. Been trying to figure out, with our spam provider and FreshDesk, what the issue could be to no avail.
0 -
Hi @NEP,
it is blocked by signature pattern match. Can you help me to capture packets on firewall wan interface ?
We would like to check if it is false positive when receive mails from FreshDesk.0 -
@Zyxel_Cooldia I sent you a private message with the packet capture attached. Thanks.0
-
For anyone else who may have this issue, the Dev team was able to mark our issue as a false positive with the packet capture we sent. It took from 8/11 until 8/30 to get a "legitimate" solution. Over two weeks, which is long, but hopefully the detection changes help everyone else in the future. With that said, if you need something a little quicker than that, submit a packet capture and then temporarily add an IP Exception as mentioned by Zyxel_Cooldia above.0
-
Thanks for verifying and update test result. the issue is fixed in 4.0.0.20220826.0.
If someone have similar issue, please update IPS to 4.0.0.20220826.0.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight