It is from a known good source, another mail server, but I don't know if this instance is mail being relayed or generated from the server itself. The smtp portion of the packet is just a bunch of random numbers from what I can tell.
On Nov 20, 2007 10:15 AM, David Maynor <[EMAIL PROTECTED]> wrote: > Is the email spam or did is it from a known good source? > > > On Nov 20, 2007 10:59 AM, Albert R. Campa <[EMAIL PROTECTED]> wrote: > > I dont know that it is an actual email, but this is 1 of 28 lines that > > I took from a packet capture in the smtp portion of the packet > > > > Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n > > > > some lines are longer some shorter but 28 of them. I guess this is > > what is causing the event to trigger. > > > > > > > > On Nov 20, 2007 9:43 AM, David Maynor <[EMAIL PROTECTED]> wrote: > > > What is contained in that email? Specifically that check is looking > > > for strings that could be used as the payload in a buffer overflow. > > > There is always a chance of positives but I would love to see what > > > kinda of legit email contains characters that could be translated to > > > machine code in a useful fashion. > > > > > > > > > On Nov 19, 2007 5:28 PM, Albert R. Campa <[EMAIL PROTECTED]> wrote: > > > > Hi guys, > > > > > > > > I am getting spurts of events trigerred by ISS Proventia, with the > > > > following vuln description: > > > > Vulnerability description > > > > In buffer overflow attacks, an attacker supplies data that is longer > > > > than the available space to hold it. For stack allocated variables, > > > > this usually means the attacker can corrupt other variables and > > > > eventually modify the code that is executed when the function in which > > > > the overflow occurs ends. > > > > > > > > http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm > > > > > > > > They are from a trusted mail server so its not being blocked. > > > > > > > > Do you think this is just a true false positive or is this trusted > > > > mail server sending bad packets? > > > > > > > > ------------------------------------------------------------------------ > > > > Test Your IDS > > > > > > > > Is your IDS deployed correctly? > > > > Find out quickly and easily by testing it > > > > with real-world attacks from CORE IMPACT. > > > > Go to > > > > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > > > to learn more. > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
