Specially crafted HTML emails causes emails to get stuck in the IIS/Exchange queues.

The information in this article applies to:

• GFI MailEssentials for Exchange/SMTP 10
• GFI MailEssentials for Exchange/SMTP 9
• GFI MailSecurity for Exchange/SMTP 8

Article ID: KBID002249

Query keywords: exchange, Exchange 2000, Exchange 2003, Exchange Server, iis, queues

Specially crafted HTML emails could cause GFI MailSecurity and GFI MailEssentials to stop processing, with emails getting stuck in the IIS queue or Exchange pre-submission queues.

More Information

An issue has been found in GFI MailEssentials 9 and 10.x and GFI MailSecurity 8.x where a specially crafted HTML email causes the products to stop processing, resulting in emails getting stuck in the IIS/Exchange queues. The issue lies in a Microsoft HTML library that is made use of by a GFI library, common to GFI MailSecurity and GFI MailEssentials.

This issue was first discovered as a vulnerability in the hotmail.com code filtering mechanism. 

GFI is issuing product patches to fix this. The patches can be downloaded from the locations below:

• GFI MailEssentials 10.x
• GFI MailEssentials 9
• GFI MailSecurity 8.x

The GFI MailEssentials patch will be also made available through the GFI MailEssentials Patch Notification.

NOTE: If you have GFI MailSecurity 8.x and GFI MailEssentials 10.x installed on the same machine, then you need only apply the GFI MailEssentials 10.x patch since it includes a file which is common for both products.