Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Reiz
New Contributor

IPS POP3 Invalid Message Number

Hi, my firewall detected POP3 Invalid Message Number blocked by IPS.

 

I have checked the fortiguard encyclopedia.

Encyclopedia : "This indicates that a client has tried to retrieve a message from a POP server with a number higher than 65535. This is an indication of a buffer-overflow or denial-of-service attack."

 

Does it mean someone tried retrieving a message with a port higher than 65535?

Or the total number of messages retrieved is higher than 65535? 

Or the content of a message has a number of words higher than 65535?

Or any other meaning?

 

I am not familiar with this, please someone explain to me.

 

FortiGate 

1 Solution
srajeswaran
Staff
Staff

Ideally if the port number is higher than 65535, it will be blocked by your firewall policy itself, so it may not be the case here.

 

As per the following RFC https://www.rfc-editor.org/rfc/rfc1939#page-6  , the message number is the ID of each mail.

After the POP3 server has opened the maildrop, it assigns a message-
   number to each message, and notes the size of each message in octets.
   The first message in the maildrop is assigned a message-number of
   "1", the second is assigned "2", and so on, so that the nth message
   in a maildrop is assigned a message-number of "n".  In POP3 commands
   and responses, all message-numbers and message sizes are expressed in
   base-10 (i.e., decimal).


I also see some discussions in MS discussion forums where there is mention of maximum number of mails in pop3 could be 65535.

Also, as per the above RFC the message size is not indicated using the message number.

Putting all these together, the most possible reason for the error is someone trying to retrieve a mail higher than 65535 may be the reason for the trigger.

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Reiz,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Reiz,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Reiz
New Contributor

Hi Anthony,

 

Do you have any updates?

Anthony_E
Community Manager
Community Manager

Hello,

 

I am still looking for somebody to answer to it. Count on me to push :)!

 

Regards,

Anthony-Fortinet Community Team.
srajeswaran
Staff
Staff

Ideally if the port number is higher than 65535, it will be blocked by your firewall policy itself, so it may not be the case here.

 

As per the following RFC https://www.rfc-editor.org/rfc/rfc1939#page-6  , the message number is the ID of each mail.

After the POP3 server has opened the maildrop, it assigns a message-
   number to each message, and notes the size of each message in octets.
   The first message in the maildrop is assigned a message-number of
   "1", the second is assigned "2", and so on, so that the nth message
   in a maildrop is assigned a message-number of "n".  In POP3 commands
   and responses, all message-numbers and message sizes are expressed in
   base-10 (i.e., decimal).


I also see some discussions in MS discussion forums where there is mention of maximum number of mails in pop3 could be 65535.

Also, as per the above RFC the message size is not indicated using the message number.

Putting all these together, the most possible reason for the error is someone trying to retrieve a mail higher than 65535 may be the reason for the trigger.

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors