Sonicwall Signatures

Category: POP

POP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on POP servers. POP or Post Office Protocol is a standard e-mail protocol used to communicate between remote e-mail servers and local e-mail clients. As opposed to IMAP, POP service provides minimal support for users to manipulate messages while they are still on the server, allowing the user instead to download them at once and manipulate them on their local machine. Because POP servers accept and send a number of standardized commands to serve clients messages, they are vulnerable to attack through malformed requests. Attackers using specially engineered instances of these commands can gain full control over servers, access sensitive information, or cause the servers to crash, significantly limiting e-mail access.

Most of the attacks against POP servers are buffer overflow attacks that exploit unchecked buffers in several POP implementations. Attackers can send a malformed command that is too long for the server to handle, causing it to malfunction. This can cause the server to crash, keeping POP clients from accessing their e-mail, but it can also cause the server to execute code included in the command by the attacker. This can allow the attacker to gain full control over the server, granting privileged access to sensitive information, and allowing the attacker to exploit trust relationships between the server and its clients. For example, an attacker could use a compromised server to send malicious code in response to request for e-mail messages, compromising client computers as well.

Other less serious attacks on POP servers include privilege elevation and denial of service attacks. In privilege elevation attacks, attackers can send a crafted request that the server mishandles, allowing them to access sensitive information. In denial of service attacks, attackers send a request that causes the server to become unstable and crash, limiting e-mail access.

While the above mentioned attacks can be debilitating if successful, their chance of success is small and so their corresponding signatures are classified as medium priority. When enabled, they can keep malicious attacks from reaching mail servers. Administrators should note, however, that most POP implementations with the above mentioned vulnerabilities have patches and updates provided by their vendors which make them immune to most exploits. Administrators should use good patching practices in conjunction with SonicWALL signatures to ensure maximum security for their POP servers.