Hi,

I heve been experiencing a problem with pop3 service within exchange 2000
sp3 running on a windows 2000 sp4 server. There are some malformed emails
that causes the pop3 session with Outlook Express clients to timeout
resulting the clients destinations of such messages are uncapable to
retrieve any more messages. he workaround we use is to login to the mailbox
by using Outlook Web Access, then delete the offending message. These
messages are mainly spam and/or viruses but it have been valid messages also
with this problem. Note this is a kind of denial of service, but only the
destination account results denied. The overall server works as expected.
The W2K server is automatically updated to the latest security patches. The
exchange server was updated to the "after sp3 rollup update".
We use Panda ExchangeSecure from Enterprisecure suite for fighting virus
and spam on the mail server. I don't know is it the origin of the
malformation of the messages. The fact is we are running Panda
ExchangeSecure for some years without major problems and this strange
behaviour started in the last year. But now it becomes more and more
frequent. Just today I was affected (again) by the problem and I made a
telnet pop3 session to clarify the problem. I was able to retrieve both the
good and the bad mail without problems. Testing with Mozilla Thunderbird it
was able also to receive this particular message but there were other cases
when even Thunderbird timed out.

Any suggestion to fight this problem is welcomed.
Thanks in advance
Sammy

The Oulook Express timeout error number is 0x800CCC19

The pop3 session: The first message is a good one. The second cause timeout
when retrieving from Outlook Express 6.

+OK Microsoft Exchange 2000 POP3 server version 6.0.6603.0 (xxx.xxx.xxx
..mx) ready.
user xxxx
+OK
pass xxxx
+OK User successfully logged on.
list
+OK 2 2783
1 2000
2 783
..
get
-ERR Protocol error.
retr 1
+OK
Received: from ns.mexwebspace.com ([200.47.159.109]) by xxx.xxx.xxx.mx
with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 26 Dec 2006 09:16:25 -0600
Received: by ns.mexwebspace.com (Postfix, from userid 816)
id 384B816C8465; Tue, 26 Dec 2006 09:13:01 -0600 (CST)
Received: from ventas5 (unknown [189.135.21.127])
by ns.mexwebspace.com (Postfix) with ESMTP id A5DF816C8461;
Tue, 26 Dec 2006 09:12:54 -0600 (CST)
Message-ID: 000e01c72900$cbb19460$c505a8c0@ventas5
From: "xxx xxx"
To: "Lic. xxx xxx"
Subject:
=?iso-8859-1?Q?Elevaci=F3n_de_privilegios_a_trav=E9s_de_CSRSS _en_Micros
of?=
=?iso-8859-1?Q?t_Windows_?=
Date: Tue, 26 Dec 2006 09:16:12 -0600
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-PostfixSecure-Antispam: valid
Return-Path:
X-OriginalArrivalTime: 26 Dec 2006 15:16:25.0392 (UTC)
FILETIME=[CF0E7B00:01C729
00]
X-ExchangeSecure-AntiSpam: valid(2)

Elevaci¾n de privilegios a travÚs de CSRSS en Microsoft Windows

Se ha desvelado una vulnerabilidad en la forma en la que el proceso
CSRSS (Client/Server Runtime Server Subsystem) procesa mensajes
HardError (en un Message Box).

Esta vulnerabilidad permite a usuarios autenticados ejecutar c¾digo
arbitrario en el proceso CSRSS.EXE y elevar a privilegios de la cuenta
SYSTEM. Se ven afectados los sistemas Windows 2000, XP, 2003 y
Vista. Microsoft ha reconocido la existencia del problema.

No existe parche oficial. Se recomienda no dar acceso a los sistemas
a usuarios no confiables.

Mßs informaci¾n:

New report of a Windows vulnerability
http://blogs.technet.com/msrc/archiv...lity.aspx.retr 2+OKReceived: from localhost ([209.71.90.122]) by xxx.xxx.xxx.mx with Microsoft SMTPSVC(5.0.2195.6713); Tue, 26 Dec 2006 10:09:14 -0600Message-ID: 000001c72907$3986e480$0100007f@localhost From: "Ramesh To: Subject:=?utf-8?B?W1NQQU1d?= - Microsoft 0ffice 2OO7 & Adobe Acrobat 8 Pro 79$ at Stacy's amazingsoft Date:Tue, 26 Dec 2006 11:01:35 -0500 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: MICR0S0FT Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced ByMICR0S0FT MimeOLE V6.00.2800.150 X-ExchangeSecure-AntiSpam: spam(96) Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Panda Antivirus haencontrado vulnerabilidad en el mensaje http://www.pandasoftware.es .quit+OK Microsoft Exchange 2000 POP3 server version 6.0.6603.0 signing off.

Are you Outlook Express clients up-to-date? There have been some
security updates from tome to time dealing with malformed headers.

And who is reporting the time out? The client or the server?

And are the client PCs running any anti-spam or anti-virus set to scan
e-mail? If so, either of those could cause the time out.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm


"SammyBar" wrote in message
...
Hi,

I heve been experiencing a problem with pop3 service within exchange
2000 sp3 running on a windows 2000 sp4 server. There are some
malformed emails that causes the pop3 session with Outlook Express
clients to timeout resulting the clients destinations of such messages
are uncapable to retrieve any more messages. he workaround we use is
to login to the mailbox by using Outlook Web Access, then delete the
offending message. These messages are mainly spam and/or viruses but
it have been valid messages also with this problem. Note this is a
kind of denial of service, but only the destination account results
denied. The overall server works as expected. The W2K server is
automatically updated to the latest security patches. The exchange
server was updated to the "after sp3 rollup update".
We use Panda ExchangeSecure from Enterprisecure suite for fighting
virus and spam on the mail server. I don't know is it the origin of
the malformation of the messages. The fact is we are running Panda
ExchangeSecure for some years without major problems and this strange
behaviour started in the last year. But now it becomes more and more
frequent. Just today I was affected (again) by the problem and I made
a telnet pop3 session to clarify the problem. I was able to retrieve
both the good and the bad mail without problems. Testing with Mozilla
Thunderbird it was able also to receive this particular message but
there were other cases when even Thunderbird timed out.

Any suggestion to fight this problem is welcomed.
Thanks in advance
Sammy

The Oulook Express timeout error number is 0x800CCC19

The pop3 session: The first message is a good one. The second cause
timeout when retrieving from Outlook Express 6.

+OK Microsoft Exchange 2000 POP3 server version 6.0.6603.0
(xxx.xxx.xxx
.mx) ready.
user xxxx
+OK
pass xxxx
+OK User successfully logged on.
list
+OK 2 2783
1 2000
2 783
.
get
-ERR Protocol error.
retr 1
+OK
Received: from ns.mexwebspace.com ([200.47.159.109]) by xxx.xxx.xxx.mx
with Microsoft SMTPSVC(5.0.2195.6713);
Tue, 26 Dec 2006 09:16:25 -0600
Received: by ns.mexwebspace.com (Postfix, from userid 816)
id 384B816C8465; Tue, 26 Dec 2006 09:13:01 -0600 (CST)
Received: from ventas5 (unknown [189.135.21.127])
by ns.mexwebspace.com (Postfix) with ESMTP id A5DF816C8461;
Tue, 26 Dec 2006 09:12:54 -0600 (CST)
Message-ID: 000e01c72900$cbb19460$c505a8c0@ventas5
From: "xxx xxx"
To: "Lic. xxx xxx"
Subject:
=?iso-8859-1?Q?Elevaci=F3n_de_privilegios_a_trav=E9s_de_CSRSS _en_Micros
of?=
=?iso-8859-1?Q?t_Windows_?=
Date: Tue, 26 Dec 2006 09:16:12 -0600
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-PostfixSecure-Antispam: valid
Return-Path:
X-OriginalArrivalTime: 26 Dec 2006 15:16:25.0392 (UTC)
FILETIME=[CF0E7B00:01C729
00]
X-ExchangeSecure-AntiSpam: valid(2)

Elevaci¾n de privilegios a travÚs de CSRSS en Microsoft Windows

Se ha desvelado una vulnerabilidad en la forma en la que el proceso
CSRSS (Client/Server Runtime Server Subsystem) procesa mensajes
HardError (en un Message Box).

Esta vulnerabilidad permite a usuarios autenticados ejecutar c¾digo
arbitrario en el proceso CSRSS.EXE y elevar a privilegios de la cuenta
SYSTEM. Se ven afectados los sistemas Windows 2000, XP, 2003 y
Vista. Microsoft ha reconocido la existencia del problema.

No existe parche oficial. Se recomienda no dar acceso a los sistemas
a usuarios no confiables.

Mßs informaci¾n:

New report of a Windows vulnerability
http://blogs.technet.com/msrc/archiv...lity.aspx.retr
2+OKReceived: from localhost ([209.71.90.122]) by xxx.xxx.xxx.mx with
Microsoft SMTPSVC(5.0.2195.6713); Tue, 26 Dec 2006
10:09:14 -0600Message-ID: 000001c72907$3986e480$0100007f@localhost
From: "Ramesh To:

Subject:=?utf-8?B?W1NQQU1d?= - Microsoft 0ffice 2OO7 & Adobe Acrobat 8
Pro 79$ at Stacy's amazingsoft
Date:Tue, 26 Dec 2006 11:01:35 -0500
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: MICR0S0FT Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced ByMICR0S0FT MimeOLE V6.00.2800.150
X-ExchangeSecure-AntiSpam: spam(96)
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Panda Antivirus haencontrado vulnerabilidad en el mensaje
http://www.pandasoftware.es
.quit+OK Microsoft Exchange 2000 POP3 server version 6.0.6603.0
signing off.

Are you Outlook Express clients up-to-date?
Yes, we have WSUS, all the patches all approved and installed. We don't have
IE 7 yet so I don't know it resolves the problem. It looks to be a OE 6
specific problem

And who is reporting the time out? The client or the server?
The client is reporting the timeout. By telnetting or even with Mozilla
Thundrbird client there are no problems with the reception of the malformed
message.

And are the client PCs running any anti-spam or anti-virus set to scan
e-mail? If so, either of those could cause the time out.
The client PC no. But the Exchange server is running ExchangeSecure 2006
from Panda Enterprisecure suite. The malformed message was "touched" by the
antivirus because it replaced the actual content with a text informing that
"Panda Antivirus have found a vulnerability in the message". It is possible
it was Panda that malformed the message when cleaning it.

Thanks for your attention
Sammy