Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The SUBSCRIBE request for unverified clients is not rejected in Lync Server 2010


View products that this article applies to.

Symptoms

Microsoft Lync Server 2010 does not correctly reject the SUBSCRIBE request that is received when the value of the ms-source-verified-user parameter is unverified. Therefore, the Lync Server 2010 server cannot prevent spam instant message (SPIM) attacks that come from public IM clients, such as Windows Live Messenger, AOL, or Yahoo. Additionally, the public IM client users can verify the presence status, and send an instant message to Office Communicator 2007 R2 users.

↑ Back to the top


Cause

This issue occurs because Lync Server 2010 calls the EdgeHeaderProcessor::ProcessInboundServerMessageNonEP() function when there is a message that contains an ms-edge-proxy-message-trust header. This function does not call the CSIPMessage::SetComputedUserValidation() function.

Note Office Communications Server 2007 R2 uses the CEPHeaderProcessor::ProcessIncomingMessage() function instead. This function calls the CSIPMessage::SetComputedUserValidation() function.

↑ Back to the top


Resolution

To resolve this issue, install the following cumulative update:
2592292 Description of the cumulative update for Lync Server 2010: August 2011


↑ Back to the top


Keywords: kbqfe, kbfix, kbhotfixrollup, kbexpertiseadvanced, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2592291
Revision : 1
Created on : 1/7/2017
Published on : 9/13/2011
Exists online : False
Views : 344