Meraki

Community

IDS/IPS 124:1 SMTP_COMMAND_OVERFLOW

cnaron
Comes here often
‎Apr 15 2025 1:16 PM
‎Apr 15 2025 1:16 PM

IDS/IPS 124:1 SMTP_COMMAND_OVERFLOW

Just a PSA,

 

We started receiving reports of broken scan to email and email client functionality over the past few days.  This was hit and miss across 50+ locations and not specific to any hardware make or model.  

 

Snort rule 124:1 - SMPT_COMMAND_OVERFLOW seems to be tagging outbound SMTP connections from certain devices and blocking. (As expected)

In our case these were all false positives.

 

We've disabled the rule for now and services are restored.

Labels:
0 Kudos
2 Replies 2
BrandonD
Meraki Employee
Meraki Employee
‎Apr 30 2025 3:46 PM
‎Apr 30 2025 3:46 PM

Hi @cnaron,

 

Brandon from Meraki Support here - thanks for bringing this to the community and for your feedback!

I just wanted to pass along Talos' feedback page that customers can submit false positive reports if you have an active Cisco account - outlined below:

 

Hope this helps! 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Einstein
Getting noticed
‎May 13 2025 7:46 AM
‎May 13 2025 7:46 AM

We ran into same issue, same error in MX events. We have a very large Xerox press that scan to email suddenly stopped working. I added our printer as a trusted IP and allowed rule in IDP. Scan to email now works. Will continue to monitor, but it does seem like a false positive in Talos. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.