Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 959

SMTP:MAL:NOTES-BIGMAIL
SMTP:MAL:OUTLOOK-MAILTO-QUOT
SMTP:MAL:SQM-CONTENT-XSS
SMTP:MDAEMON:SEND-OF
SMTP:MSSQL-WORM-EMAIL
SMTP:OVERFLOW:BOUNDARY
SMTP:OVERFLOW:COMMAND-LINE
SMTP:OVERFLOW:CONTENT-NAME
SMTP:OVERFLOW:EMAIL-ADDRESS
SMTP:OVERFLOW:EMAIL-DOMAIN
SMTP:OVERFLOW:EMAIL-USERNAME
Copyright © 2010, Juniper Networks, Inc.
This signature detects large e-mail messages (>12 MB) sent
to Lotus Domino servers via a commonly published exploit.
Attackers may cause Lotus Domino to exhaust all system
memory and cause the service to stop responding.
This signature detects attempts to exploit a vulnerability in
the Outlook 2002 mail client. Attackers may use mailto:
URLs that contain " strings to execute arbitrary
script commands, enabling them to execute code remotely.
This signature detects attempts to exploit a vulnerability in
SquirrelMail, a PHP4 Webmail package. Attackers may send
e-mail messages that contain Javascript in the Content-Type
field; when SquirrelMail receives the message, it may
interpret and execute the Javascript, enabling the attacker
to compromise the target system.
This signature detects buffer overflow attempts against the
MDaemon mail server. MDaemon 6.7.9 and older versions
are vulnerable. Attackers may send an overly long SMTP
SAML, SOML, or SEND command to overflow the buffer and
crash the MDaemon service; attackers may also obtain
complete control of the server with SYSTEM level access.
This signature detects attempts to send an e-mail to
ixltd@postone.com. This may indicate the presence of
SQLsnake, a MSSQL worm. SQLsnake infects Microsoft SQL
Servers that have SA (administrative) accounts without
passwords. The worm sends a password list and other
system information via e-mail to ixltd@postone.com, then
begins scanning for vulnerable hosts listening on TCP/1433.
This protocol anomaly is an SMTP message with a boundary
length that exceeds 70 characters. The SMTP RFC specifies
70 as the maximum number of characters in a boundary.
This protocol anomaly is a text line (in the command section,
before the DATA command) in an SMTP connection that is
too long. This may indicate a buffer overflow attempt.
This protocol anomaly is an SMTP content-type name that
exceeds the user-defined maximum. The default number of
bytes in a content-type name is 128.
This protocol anomaly is an e-mail address that is too long.
This may indicate a buffer overflow attempt.
This protocol anomaly is a domain name within an e-mail
address (for example, localhost.localdomain in
root@localhost.localdomain) that is too long. This may
indicate a buffer overflow attempt.
This protocol anomaly is a user name within an e-mail
address (for example, root in root@localhost.localdomain)
that is too long. This may indicate a buffer overflow attempt.
Appendix E: Log Entries
medium sos5.1.0
high sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.1.0
critical sos5.0.0,
sos5.1.0
medium sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
909