Sendmail crackaddr header overflow sig - Dozens of False Positives

["Jeff Oliveto" <joliveto () cleancommunications com>]

I am getting dozens of false positives on the new "SMTP From comment
overflow attempt signature" (SID 2087 Rev 2), signature included below.
 
It seems that if the message text includes a string of "<>" then it goes
off.  Example of a message text (i.e., signature block) that sets off
SID 2087:
 
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
You received this email because you signed up to receive offers from
GlobalPoint Media, LLC. and....."
 
Another example, it seems one of Cisco's auto generated e-mail replies
also contains a string of <><> that sets it off.,
 
In it's current form...the signature is unusable.  Is anyone working on
a better signature?  
 
BTW...bet a ton of snort sensors are going off right now based upon the
text of this e-mail.
 
SID 2087 Rev 2 below
 
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment
overflow attempt"; flow:to_server,established; content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0;
content:"("; distance:1; content:")"; distance:1;
reference:cve,CAN-2002-1337;
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin;
sid:2087; rev:2;)
 

 

Jeff Oliveto

Clean Communications

CLEAN 

Communications  (formerly NetPlexus)

Value Based Security Solutions

 

The information contained in this message, and any attachment, is
confidential and proprietary information, and may be legally privileged.
It is intended for the above named recipient(s) only and is transmitted
in confidence. It should be safeguarded to prevent unauthorized,
negligent, or inadvertent use or disclosure.  If this message is
received in error, the sender should be notified and the message and any
attachments deleted.