IPS - lots of "Reject Receiver" on mail servers communication

Przemek
Przemek Posts: 28  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited January 2022 in Security
Some users message me that not all emails coming in and out.

I found that in logs have alot of:
signature ID 111646  - Ipswitch IMail Server List Mailer imailsrv.exe Buffer-Overflow Vulnerability with action Reject Receiver on communication between my local mail server and ISP mail server when receiving emails.

Also found some signature id 119233 Microsoft Media Services DoS -3 when sending emails.

I think its false alarm.
Is there any way to exclude these servers from IPS checking?






All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @Przemek,
    You can add IP exception in "CONFIGURATION > Security service > IP Exception" or bypass signature ID at "CONFIGURATION > Security service > IPS > Allow list".
    Can you send me packets capture in PM when it hit rule ID 111646 or 119233.
    We would like to check if it is false positive.

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Not to hijack this thread but we are having the same issue with emails from FreshDesk. How does Signature # 111646 decide what emails to block? Is it based on headers or something else?

    https://threatintelligence.zyxel.com/idp/search?q=111646

    Also, the page linked above indicates that the signature release date was 2022-08-08. This thread is from January 2022. When I finally found that the Zyxel was blocking traffic, this confused me as we have been having trouble for months. Been trying to figure out, with our spam provider and FreshDesk, what the issue could be to no avail.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @NEP,
    it is blocked by signature pattern match. Can you help me to capture packets on firewall wan interface ?
    We would like to check if it is false positive when receive mails from FreshDesk.
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    @Zyxel_Cooldia I sent you a private message with the packet capture attached. Thanks.
  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    For anyone else who may have this issue, the Dev team was able to mark our issue as a false positive with the packet capture we sent. It took from 8/11 until 8/30 to get a "legitimate" solution. Over two weeks, which is long, but hopefully the detection changes help everyone else in the future. With that said, if you need something a little quicker than that, submit a packet capture and then temporarily add an IP Exception as mentioned by Zyxel_Cooldia above.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Thanks for verifying and update test result. the issue is fixed in 4.0.0.20220826.0.
    If someone have similar issue, please update IPS to 
    4.0.0.20220826.0.

Security Highlight