Re: ISS Proventia email overflow

["Albert R. Campa" <abcampa () gmail com>]

It is from a known good source, another mail server, but I don't know
if this instance is mail being relayed or generated from the server
itself. The smtp portion of the packet is just a bunch of random
numbers from what I can tell.


On Nov 20, 2007 10:15 AM, David Maynor <dmaynor () gmail com> wrote:
> Is the email spam or did is it from a known good source?
>
>
> On Nov 20, 2007 10:59 AM, Albert R. Campa <abcampa () gmail com> wrote:
> > I dont know that it is an actual email, but this is 1 of 28 lines that
> > I took from a packet capture in the smtp portion of the packet
> >
> > Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n
> >
> > some lines are longer some shorter but 28 of them. I guess this is
> > what is causing the event to trigger.
> >
> >
> >
> > On Nov 20, 2007 9:43 AM, David Maynor <dmaynor () gmail com> wrote:
> > > What is contained in that email? Specifically that check is looking
> > > for strings that could be used as the payload in a buffer overflow.
> > > There is always a chance of positives but I would love to see what
> > > kinda of legit email contains characters that could be translated to
> > > machine code in a useful fashion.
> > >
> > >
> > > On Nov 19, 2007 5:28 PM, Albert R. Campa <abcampa () gmail com> wrote:
> > > > Hi guys,
> > > >
> > > > I am getting spurts of events trigerred by ISS Proventia, with the
> > > > following vuln description:
> > > > Vulnerability description
> > > > In buffer overflow attacks, an attacker supplies data that is longer
> > > > than the available space to hold it. For stack allocated variables,
> > > > this usually means the attacker can corrupt other variables and
> > > > eventually modify the code that is executed when the function in which
> > > > the overflow occurs ends.
> > > >
> > > > http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm
> > > >
> > > > They are from a trusted mail server so its not being blocked.
> > > >
> > > > Do you think this is just a true false positive or is this trusted
> > > > mail server sending bad packets?
> > > >
> > > > ------------------------------------------------------------------------
> > > > Test Your IDS
> > > >
> > > > Is your IDS deployed correctly?
> > > > Find out quickly and easily by testing it
> > > > with real-world attacks from CORE IMPACT.
> > > > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > > > to learn more.
> > > > ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------