GEN:SID 1:2105
Message IMAP authenticate literal overflow attempt
Summary This event is generated when a remote user uses the IMAP AUTHENTICATE command to send a suspiciously long string to port 143 on an internal server. This may indicate an attempt to exploit a buffer overflow vulnerability in the IMAP AUTHENTICATE command.
Impact Serious. Possible remote execution of arbitrary code, which may lead to a remote root compromise.
Detailed Information When a large amount of data is sent to a vulnerable IMAP server in the AUTHENTICATE command, a buffer overflow condition may occur. This can allow the attacker to execute arbitrary code, which may allow the attacker to gain root access to the compromised server.
Affected Systems Any operating system that runs University of Washington imapd version 10.234 and earlier.
Attack Scenarios An attacker can send a sufficiently long AUTHENTICATE command to the IMAP server, creating a buffer overflow condition. This can then allow the attacker to gain root access to the compromised server.
Ease of Attack Simple. Exploits exist.
Corrective Action Apply the appropriate patches for your operating system.

Check the host for signs of compromise.
Additional References Bugtraq
http://www.securityfocus.com/bid/130

CVE
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-1999-0005

Nessus
http://cgi.nessus.org/plugins/dump.php3?id=11073
Rule References cve: 1999-0042
nessus: 10292