IPS - lots of "Reject Receiver" on mail servers communication

Przemek Posts: 23  Freshman Member
edited January 14 in Security
Some users message me that not all emails coming in and out.

I found that in logs have alot of:
signature ID 111646  - Ipswitch IMail Server List Mailer imailsrv.exe Buffer-Overflow Vulnerability with action Reject Receiver on communication between my local mail server and ISP mail server when receiving emails.

Also found some signature id 119233 Microsoft Media Services DoS -3 when sending emails.

I think its false alarm.
Is there any way to exclude these servers from IPS checking?

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 954  Zyxel Employee
    Hi @Przemek,
    You can add IP exception in "CONFIGURATION > Security service > IP Exception" or bypass signature ID at "CONFIGURATION > Security service > IPS > Allow list".
    Can you send me packets capture in PM when it hit rule ID 111646 or 119233.
    We would like to check if it is false positive.

  • NEP
    NEP Posts: 3
    Not to hijack this thread but we are having the same issue with emails from FreshDesk. How does Signature # 111646 decide what emails to block? Is it based on headers or something else?


    Also, the page linked above indicates that the signature release date was 2022-08-08. This thread is from January 2022. When I finally found that the Zyxel was blocking traffic, this confused me as we have been having trouble for months. Been trying to figure out, with our spam provider and FreshDesk, what the issue could be to no avail.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 954  Zyxel Employee
    Hi @NEP,
    it is blocked by signature pattern match. Can you help me to capture packets on firewall wan interface ?
    We would like to check if it is false positive when receive mails from FreshDesk.
  • NEP
    NEP Posts: 3
    @Zyxel_Cooldia I sent you a private message with the packet capture attached. Thanks.

Security Highlight