Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE

["Srinivasa Rao Addepalli" <srao () intotoinc com>]

Hi Aravind,
     You need to give more information. But based on your
      description, I feel you should look at MIME header in the
     email body. In anycase, it is better to build POP3 protocol
     intelligence to figure out 'envelope' header and email data
     message. Then you can do content search on part of
     envelop OR part of MIME header field.
     Doing content search on the packets might give you
     false negative and false positives.
Srini

Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Aravinda T" <aravindat () internettrends co in>
To: <focus-ids () securityfocus com>
Cc: <focus-ids-owner () securityfocus com>
Sent: Sunday, June 15, 2003 10:38 PM
Subject: HELP ON POP3 FALSE ATTACHMENT SIGNATURE


> Hi all,
>
>        In our company we are developing a host based IDS for all windows
> platforms.In that they asked me to write code for detecting POP3 false
> attachment attack.I am giving the description of this attack below.
>
> Description:
>                           Versions of MS Outlook are vulnerable to receiving
> a hidden, potentially hostile attachment. An arbitrary string of characters,
> supplied by the sender to the 'subject:' field, will be received and
> interpreted by vulnerable versions of Outlook as an attachment to the
> message. If this string is properly constructed, it can be executable and
> capable of performing hostile actions on the vulnerable host. This can also
> be used to circumvent Outlook's dangerous file security feature.
>
> So, pls help me for writing signature of  this attack.Any info regarding
> this one is highly appreciated.
> Thanks and regards,
> Aravind.
>
>
>
> -------------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> -------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------