RE: ISS Proventia email overflow

["Mike Theriault" <Mike_Theriault () Jabil com>]

I have seen this event before in cases where SMTP mail was being sent
from an application server to a relay.  Generally speaking I ignore
these unless there were a high number of instances of those events.

Mike Theriault
Security Engineer    

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Albert R. Campa
Sent: Monday, November 19, 2007 5:28 PM
To: focus-ids () securityfocus com
Subject: ISS Proventia email overflow

Hi guys,

I am getting spurts of events trigerred by ISS Proventia, with the
following vuln description:
Vulnerability description
In buffer overflow attacks, an attacker supplies data that is longer
than the available space to hold it. For stack allocated variables,
this usually means the attacker can corrupt other variables and
eventually modify the code that is executed when the function in which
the overflow occurs ends.

http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Ov
erflow.htm

They are from a trusted mail server so its not being blocked.

Do you think this is just a true false positive or is this trusted
mail server sending bad packets?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------