I dont know that it is an actual email, but this is 1 of 28 lines that I took from a packet capture in the smtp portion of the packet
Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n some lines are longer some shorter but 28 of them. I guess this is what is causing the event to trigger. On Nov 20, 2007 9:43 AM, David Maynor <[EMAIL PROTECTED]> wrote: > What is contained in that email? Specifically that check is looking > for strings that could be used as the payload in a buffer overflow. > There is always a chance of positives but I would love to see what > kinda of legit email contains characters that could be translated to > machine code in a useful fashion. > > > On Nov 19, 2007 5:28 PM, Albert R. Campa <[EMAIL PROTECTED]> wrote: > > Hi guys, > > > > I am getting spurts of events trigerred by ISS Proventia, with the > > following vuln description: > > Vulnerability description > > In buffer overflow attacks, an attacker supplies data that is longer > > than the available space to hold it. For stack allocated variables, > > this usually means the attacker can corrupt other variables and > > eventually modify the code that is executed when the function in which > > the overflow occurs ends. > > > > http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm > > > > They are from a trusted mail server so its not being blocked. > > > > Do you think this is just a true false positive or is this trusted > > mail server sending bad packets? > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
