Re: Mail.app DoS/BAD parse error: invalid message sequence number

["David N. Blank-Edelman" <dnb@ccs.neu.edu>]

Hi Thom-
  Thanks for the confirmation. We're certainly happy to provide any more info we can. A few followup questions, if I might:

1) has Zimbra or Apple been able to reproduce the problem following the steps we detailed? I ask because we can cause this behavior to happen every single time we try them here. As far as I know, we're using the latest shipping version of Mail.app to do so. If this is as readily reproducible outside our environment as it is here, I would think Apple could immediately see the problem in action.

2) could you speak to the question of the Zimbra server being able to mitigate bad client "attacks" (as Xueshan called them). Is that something Zimbra is considering doing? i'm wondering if it could be as simple as keeping a counter of the number of attempts to access data on messages that don't exist. If a client does that N times, you drop that one IMAP connection. I'm not claiming that this is a general protection, but I'm reasonably confident that it would immediately nip this particular problem in the bud based on the other responses in this email thread.

I'm especially interested in #2 just because it wouldn't leave my server at the mercy of another company releasing a patch in N months or the unknown number of users who don't actually apply released patches. As I understand it from various unofficial Apple sites, the next OS patch is pretty close to release (not to mention iPhone and iPad revs). This means we're in for a considerable wait before a Mail.app patch could even see the light of day.

          -- dNb