False positives with SMTP RCPT TO overflow rule

["Nels Lindquist" <nlindq () maei ca>]

Hi there.

I just updated my signatures to the latest ones (as of June 24, 
anyway) and suddenly I'm getting hundreds of alerts on SMTP RCPT TO 
overflow.

Looking at the payloads in ACID, every one of the alerts appears to 
be a false positive, ie, part of a legitimate SMTP conversation.

I did a comparison between the older version of the signature I was 
using previously, and the only difference is the addition of the 
"nocase" option.

> From what I can tell, the rule is looking for "rcpt to:" followed by 
more than 800 bytes worth of data.  Looking at the payload, the rule 
seems to be following the entire SMTP conversation, rather than just 
the RCPT TO fragment.

Attached is an example.

So what's going on here?  Should I just "pass" the rule, or should 
the rule be altered somehow to be more specific?

Thanks for any advice.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any another MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.

   ---- File information -----------
     File:  payload.txt
     Date:  25 Jun 2002, 11:07
     Size:  13627 bytes.
     Type:  Text

Attachment: payload.txt
Description: