RE: [Full-Disclosure] SoBig.F strange problem

["Ben Nelson" <lists@venom600.org>]

On August 20, 7:09 am "Steve Bremer" <steveb@nebcoinc.com> wrote:
> >  line). But it seems to be broken in other areas, I think I'm getting
>
> We've noticed a few problems with it as well.  We've received a few e-
> mails with one of the typical Sobig subject lines, only no
> attachment.  The attachment headers are in the e-mail, so our MUA
> thinks there is an attachment, but there is just no "body" to the
> attachment.
>
> Either there are a few broken variants out there sending out e-mail
> without the payload, or something in-between us and the sender is
> stripping out the attachment.  It isn't our AV system, since it would
> quarantine the entire message.
>
> Has anyone else experienced this?
>
> Steve Bremer
> NEBCO, Inc.
> System & Security Administrator
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

I can confirm this behavior.  On my production mail servers we have seen a
lot of messages that meet the criteria you stated above.  I think there are
some mail clients out there that are resending the message but removing the
file attachment.  

I've also seen quite a few messages that have what appears to be a
truncated version of the malicious attachment or a replacement all-together
(which contains a few lines of some random character strings).

All told, in the last 4 hours we've 'quarantined' ~20,000 SoBig emails.

--Ben

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html