GEN:SID 1:2119
Message IMAP rename literal overflow attempt
Summary This event is generated when a remote user uses the IMAP RENAME command to send a suspiciously long string to port 143 on an internal server. This may indicate an attempt to exploit a buffer overflow vulnerability in the IMAP RENAME command.

Impact:
Possible shell access on the IMAP server, leading to arbitrary code execution. The attacker must have a valid IMAP account on the mail server to attempt this exploit.
Impact  
Detailed Information When a large amount of data is sent to a vulnerable IMAP server in the RENAME command, a buffer overflow condition may occur. This can allow the attacker to access the shell, where arbitrary code can be executed. Note that this exploit can only be attempted by a user with a valid IMAP account.
Affected Systems Any operating system that runs University of Washington imapd versions 10.234 or 12.264.
Attack Scenarios An attacker with an IMAP account on the server can send a sufficiently long RENAME command to the IMAP server, creating a buffer overflow condition. This can then allow the attacker to gain shell access on the compromised server, possibly leading to the execution of arbitrary code.
Ease of Attack Simple. Exploits exist, but the user must have a valid IMAP account on the server.
Corrective Action Apply the appropriate patches for your operating system.

Check the host for signs of compromise.
Additional References Bugtraq
http://www.securityfocus.com/bid/1110

CVE
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2000-0284

Nessus
http://cgi.nessus.org/plugins/dump.php3?id=10374
Rule References bugtraq: 1110
cve: 2000-0284
nessus: 10374