November 19th, 2001, 03:00 AM
i'm publishing a pop3 server using ISA 2k. the mail server im using is called argo soft. In the ISA intrusion detection logs there was an entry "pop3 - buffer overflow detected". i wasn't aware their was one for the product. now ms is real stingy with their info in isa, that one line is all i could find. I don't know if it succeded or not, and if they did has the server been compromised or did it just crash a module.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
November 19th, 2001, 03:18 AM
Well, it seems it said it was "detected" but probably didn't do anything, was probably meant for another pop3 service or just more worms on the internet. My logs of full of Nimda, Code Red, Code Blue, etc attempts about 20 times every day. By overflow, it might have been someone trying a 1000 character username or just trying to send tons of junk like a fake e-mail with a 5000 character subject or something, hehe
If the module crashed, you would probably know. If you think it was compromised, try checking the security logs for anything out of the ordinary. Did any user accounts appear from no where? Are you getting tons of junk mail, is your bandwidth maxed out because the server is relaying to the world? If not, then you probably don't have much to worry about. If worse comes to worst and you still don't trust it the server, just have the pop3 server app itself starting logging every single thing that comes in. That's what I use on mine and I've actually seen some real funny messages in there like "I don't know what the *uck I'm doing in here" or "Your server is hacked, send me money to ****@hotmail.com"