Email blocking

[mseedii]

I've read several posts about Thunderbird and Outlook not working intermittently. I have a client where Thunderbird would work sometimes and then stop working. Recently this happened again and this time when I investigated I found that this module was the culprit. the log entry reason given is

#2250: POP3 USER format string attempt

if anyone can explain this and more importantly how to get around this I'd appreciate it. I don't like having this module turned off, which it is right now

[AngelKnight]

If you look at the rules in Intrusion Protection (on page 49 of 99 if you sort by the id numbers on my 9.0.1 system), you will find that there is further information about this rule stating that it was an attempted administrator privilege gain. This rule is activated on my UT as well, and has never tripped, although I don't have that many POP3 users here (I'm in a home environment).

Given this description, I would be hesitant to disable Intrusion Protection and/or disable that rule, but rather would have you look at the particulars of that POP3 session.

Some questions that will help pinpoint the problem in no particular order:
- Is it happening with one particular user at your client's site, or with all users?
- How many people/machines are behind the UT installation?
- What version of UT are you running?
- Is the email hosted on an external site and users access it from the client site (I would assume so since it is going through UT, but want to be sure of your set up)?
- Is UT in router or bridge mode?
- What versions of Thunderbird and Outlook are you using?
- Are the client machines that are having the problem up-to-date on Windows security updates and anti-virus/anti-malware software?

[dmorris]

if anyone can explain this and more importantly how to get around this I'd appreciate it. I don't like having this module turned off, which it is right now

http://forums.untangle.com/intrusion...ion-9-0-a.html

[mseedii]

thank you to both of you for the insights and info. i'll use your info dmorris to figure things out later but at least I can explain what happened "all of a sudden"

[AngelKnight]

Using dmorris' previous post, I found the description for your block rule at: http://www.snort.org/search/sid/2250?r=1. It appears to only affect a specific piece of software (AMAX Information Technologies Inc. Magic Winmail Server 2.3). If you're not using that (note that your external mail server might be), then it's probably safe to disable that individual rule. Note the word probably.