Sonicwall Signatures

Category: IMAP

IMAP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on IMAP servers. IMAP or Internet Message Access Protocol is a standard protocol for accessing mail on a remote server from a local client. It allows users to use a mail client to manipulate messages while they are still on the server in contrast to the POP protocol which requires users to download messages to their local client before manipulating them. IMAP server accept and send a set of standardized commands to serve e-mail messages to clients. Unfortunately, attackers have found a number of ways to manipulate these commands to exploit vulnerabilities in many versions of IMAP server software, causing the software to malfunction. These attacks can crash the server, provide attackers access to sensitive information, or allow them to completely take control of the server.

Attackers attack IMAP servers using buffer overflow attacks. These attacks involve a hacker sending a command with an overly long argument to an IMAP server, causing the server to mishandle the request, and possibly execute code of the attacker's choice. For example, if an authenticated user sends a LIST command with an overly long argument to the server, several versions of IMAP server software will mishandle the command and potentially allow attackers gain control over the server. Once in control, attackers can corrupt mailboxes, steal information, or use the server for their own ends. Even if such an attack fails to grant attackers control of a server, it will most likely crash the machine, shutting down e-mail access to all users on the server.

Because most of the attacks on IMAP server that have a relatively high probability of success require attackers to be authenticated by the system first, these attacks do not represent a serious threat. SonicWALL IMAP signatures are classified as low-priority, and are by default set to detect and altert administrators of suspicious IMAP activity.