Skip to main content
Reiz
Reiz
New Member
February 24, 2023
Solved

IPS POP3 Invalid Message Number

  • February 24, 2023
  • 5 replies
  • 2145 views

Hi, my firewall detected POP3 Invalid Message Number blocked by IPS.

 

I have checked the fortiguard encyclopedia.

Encyclopedia : "This indicates that a client has tried to retrieve a message from a POP server with a number higher than 65535. This is an indication of a buffer-overflow or denial-of-service attack."

 

Does it mean someone tried retrieving a message with a port higher than 65535?

Or the total number of messages retrieved is higher than 65535? 

Or the content of a message has a number of words higher than 65535?

Or any other meaning?

 

I am not familiar with this, please someone explain to me.

 

FortiGate 

Best answer by srajeswaran

Ideally if the port number is higher than 65535, it will be blocked by your firewall policy itself, so it may not be the case here.

 

As per the following RFC https://www.rfc-editor.org/rfc/rfc1939#page-6  , the message number is the ID of each mail.

After the POP3 server has opened the maildrop, it assigns a message-    number to each message, and notes the size of each message in octets.    The first message in the maildrop is assigned a message-number of    "1", the second is assigned "2", and so on, so that the nth message    in a maildrop is assigned a message-number of "n".  In POP3 commands    and responses, all message-numbers and message sizes are expressed in    base-10 (i.e., decimal).


I also see some discussions in MS discussion forums where there is mention of maximum number of mails in pop3 could be 65535.

Also, as per the above RFC the message size is not indicated using the message number.

Putting all these together, the most possible reason for the error is someone trying to retrieve a mail higher than 65535 may be the reason for the trigger.

 

5 replies

Anthony_E
Staff
Anthony_E
Staff
February 27, 2023

Hello Reiz,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
February 28, 2023

Hello Reiz,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Best Regards
Reiz
ReizAuthor
New Member
March 1, 2023

Hi Anthony,

 

Do you have any updates?

Anthony_E
Staff
Anthony_E
Staff
March 1, 2023

Hello,

 

I am still looking for somebody to answer to it. Count on me to push :)!

 

Regards,

Best Regards
srajeswaran
Staff
srajeswaranAnswer
Staff
March 1, 2023

Ideally if the port number is higher than 65535, it will be blocked by your firewall policy itself, so it may not be the case here.

 

As per the following RFC https://www.rfc-editor.org/rfc/rfc1939#page-6  , the message number is the ID of each mail.

After the POP3 server has opened the maildrop, it assigns a message-    number to each message, and notes the size of each message in octets.    The first message in the maildrop is assigned a message-number of    "1", the second is assigned "2", and so on, so that the nth message    in a maildrop is assigned a message-number of "n".  In POP3 commands    and responses, all message-numbers and message sizes are expressed in    base-10 (i.e., decimal).


I also see some discussions in MS discussion forums where there is mention of maximum number of mails in pop3 could be 65535.

Also, as per the above RFC the message size is not indicated using the message number.

Putting all these together, the most possible reason for the error is someone trying to retrieve a mail higher than 65535 may be the reason for the trigger.

 

Terms & ConditionsAccessibility statement