Ok....where do I begin with this one...lol

*point #1: Even if this would work, you are still dependant on a user on the other end to open the email and the browser would have to be HTML based. Ok...not that hard

*point #2: So exactly how many A's does it take. Also, what would happen if you use B's instead. If it looks to the firewall like to separate requests, why would you not just send the PORT command on the first packet? Actually...let me answer that one, it is because the PORT command is used in FTP, not HTTP.

*Point #3: Again, even if this did work, the firewall would not inspect the contents of the packet beyond the TCP header anyway. Therefore it would not care about the size of the packet or how many A's it contained. what you are trying to explain here is a buffer overflow I believe, and this is not an attack against a firewall. Even if an application or service was vulnerable to a buffer overflow, it would not be the firewall's fault. So how can you say it is ZoneAlarm that has the problem?

*point #4: "You have to know the IP address of the client in order to fool the firewall into opening the port."
That is interesting...the firewall has nothing to do with opening port. The application or service would open a port. The firewall just has rules which tells the firewall which ports to leave open. ZA cannot dynamically allocate ports, unless the port is left open by the admin. AGAIN..not ZA's fault if this even was the case.

*point #5: A proxy server cannot proxy netbios through port 139 without some type of socket, so no...this will not work with a proxy server either.

*point #6: In your first post you said that it was done with SOURCE ROUTING and ICMP COMMANDS. Neither of which you mentioned here, nor did they make any sense in the first place.

Would you like me to go on?

This was enough evidence to for me to believe you are full of $hit