Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SoBig.F strange problem

From: "Ben Nelson" <lists () venom600 org>
Date: Wed, 20 Aug 2003 22:03:39 -0600
On August 20, 7:09 am "Steve Bremer" <steveb () nebcoinc com> wrote:

 line). But it seems to be broken in other areas, I think I'm getting


We've noticed a few problems with it as well.  We've received a few e-
mails with one of the typical Sobig subject lines, only no
attachment.  The attachment headers are in the e-mail, so our MUA
thinks there is an attachment, but there is just no "body" to the
attachment.

Either there are a few broken variants out there sending out e-mail
without the payload, or something in-between us and the sender is
stripping out the attachment.  It isn't our AV system, since it would
quarantine the entire message.

Has anyone else experienced this?

Steve Bremer
NEBCO, Inc.
System & Security Administrator

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



I can confirm this behavior.  On my production mail servers we have seen a
lot of messages that meet the criteria you stated above.  I think there are
some mail clients out there that are resending the message but removing the
file attachment.  

I've also seen quite a few messages that have what appears to be a
truncated version of the malicious attachment or a replacement all-together
(which contains a few lines of some random character strings).

All told, in the last 4 hours we've 'quarantined' ~20,000 SoBig emails.

--Ben

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: