[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mail.app DoS/BAD parse error: invalid message sequence number

To: "David N.Blank-Edelman" <dnb@ccs.neu.edu>
Subject: Re: Mail.app DoS/BAD parse error: invalid message sequence number
From: Xueshan Feng <sfeng@stanford.edu>
Date: Thu, 10 Jun 2010 20:58:39 -0700 (PDT)
Cc: Helpful Zimbra Admins <zimbra-hied-admins@sfu.ca>
In-reply-to: <1483017651.470986.1276228460395.JavaMail.root@zm02.stanford.edu>

David,

We had same issue and we also opened a case with Zimbra. The reply is exactly what you summarized below. It's a Mac.App bug.

When we found this BAD parse error attack, we block the source IP
by route add -host <IP> reject, then later, route del -host <IP> reject

That way, at least the user can still use webmail to connect to read email.

There is no evidence of losing email or performance hit, other than the large mailboxd
logs (few million lines of errors can easily get logged in one day).

Xueshan
--

Xueshan Feng <sfeng@stanford.edu>
Technical Lead, IT Services, Stanford University

----- Original Message -----
> Hi-
> I'm a little behind in giving an update about this issue. I believe
> this is similar to the issue Dmitry is seeing (except we haven't seen
> any data loss at all associated with it), so I have added his subject
> line to the followup message.
> 
> To recap, with a simple set of steps, we can cause a single MacOS X
> client (and apparently similar symptoms occur with other clients based
> on a forum posting on this), to start to DoS our Zimbra server by
> resending commands at high rates. The commands it sends results in
> tons of messages along these lines:
> 
> > 2010-05-04 11:41:35,306 INFO [ImapSSLServer-634329]
> > [name=user@zimbra;mid=419;ip=ip;] imap - S: 291726.299 BAD parse
> > error: invalid message sequence number: 1:*
> > 2010-05-04 11:41:35,362 INFO [ImapSSLServer-634329]
> > [name=user@zimbra;mid=419;ip=ip;] imap - S: 291727.299 BAD parse
> > error: invalid message sequence number: 1:*
> > 2010-05-04 11:41:35,432 INFO [ImapSSLServer-634329]
> > [name=user@zimbra;mid=419;ip=ip;] imap - S: 291729.299 BAD parse
> > error: invalid message sequence number: 2:*
> 
> At Thom from Zimbra's request, we opened up a case (00053746) with
> Zimbra and provided them with the diagnostic information they
> requested. Based on their analysis, here's what happened and where we
> stand. I am posting this publicly with the permission of the Zimbra
> support engineer assigned to our case:
> 
> 1) This is definitely a bug in Apple's client. Zimbra says "What we're
> seeing is that once the IMAP server has told the client (Mail.app)
> that there are no more messages ("* 0 EXISTS"), no more references to
> message sequences are allowed. For some reason, Mail.app is ignoring
> this and still requesting data on messages that don't exist."
> 
> 2) Zimbra has reported this to Apple both formally (bug ID #8035310,
> but I don't think you can see a bug you didn't submit) and indirectly
> through other contacts there. I have no information on when/if Apple
> plans to fix their client.
> 
> 3) Zimbra has said
> a) "We're waiting to hear back from Apple before we determine what to
> do as far as a server fix. "
> b) they don't think they can fix this on the server side because "The
> only way we could really work around this is by breaking RFC 3501
> compliance, which is certainly not something we'd like to do."
> 
> I'm far from an IMAP protocol expert, but I have suggested to them
> that I think there may be other possibilities for addressing this on
> the server side. For example, if you see the client doing this, drop
> the connection. In our case, we have proven that doing so causes
> Mail.app to reconnect and stop its incorrect and DoS producing
> behavior. It seems like some sort of protection on the server side
> against DoS-like behavior would be desirable.
> 
> I haven't been able to get a good idea where things stand on this
> issue from Zimbra in about a week, but my last sense is that this is
> mostly going to be a waiting a game where we hope Apple fixes things
> (though if this comes up with other clients, I wonder if that will
> prompt Zimbra to take action on the server side before then).
> 
> In the meantime, my current suggestion would be to either use some of
> the workarounds mentioned here (like Craig's suggestion of taking the
> account in and out of maintenance mode) or follow the advice in the
> old vaudeville routine where the patient says "Doctor, Doctor! Can you
> help me? My arm hurts terribly when I move it like this." and the
> doctor says "So, don't move it like that."
> 
> 
> -- dNb

-- 

Xueshan Feng <sfeng@stanford.edu>
Technical Lead, IT Services, Stanford University

Follow-Ups:
- Re: Mail.app DoS/BAD parse error: invalid message sequence number
  - From: "Thom O'Connor" <thom@zimbra.com>

Prev by Date: Mail.app DoS/BAD parse error: invalid message sequence number
Next by Date: Re: Mail.app DoS/BAD parse error: invalid message sequence number
Previous by thread: Mail.app DoS/BAD parse error: invalid message sequence number
Next by thread: Re: Mail.app DoS/BAD parse error: invalid message sequence number
Index(es):
- Date
- Thread