RE: [inbox] DoS of Antivir Gateways with huge amount of attatchments with same name

["Curt Purdy" <purdy () tecman com>]

Yes, very interesting Helmut.  In fact this has been an interesting month
for email admins with both sobig and swen.  Swen hosed up our Postfix server
with millions of messages to newsgroups, had to end up manually blocking
them.  Please keep us abreast of your results when you figure out which AV
it was.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Helmut
Hauser
Sent: Wednesday, September 24, 2003 12:42 PM
To: full-disclosure () lists netsys com
Subject: [inbox] [Full-disclosure] DoS of Antivir Gateways with huge
amount of attatchments with same name


We got an E-Mail yesterday from one of our customers.
It had 291 (!) base64 coded attatchments which caused our antivirus gateway
to fail.
Further investigation of this mail shows that there were saved html pages
with all pictures saved seperatly so there were 7 times the same picture(s)
in this mail with the same filename(s).
We have different Antivirproducts working together and one of them (still
can´t figure out which one) has been fooled by the same filename(s) and
caused the gateway to fail. Very interesting.



Helmut Hauser
Systemadministration EDV

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html