| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1276715e8dc18e5579fec0b7c370ccd8@venom600.org> From: lists at venom600.org (Ben Nelson) Subject: SoBig.F strange problem On August 20, 7:09 am "Steve Bremer" <steveb@...coinc.com> wrote: > > line). But it seems to be broken in other areas, I think I'm getting > > We've noticed a few problems with it as well. We've received a few e- > mails with one of the typical Sobig subject lines, only no > attachment. The attachment headers are in the e-mail, so our MUA > thinks there is an attachment, but there is just no "body" to the > attachment. > > Either there are a few broken variants out there sending out e-mail > without the payload, or something in-between us and the sender is > stripping out the attachment. It isn't our AV system, since it would > quarantine the entire message. > > Has anyone else experienced this? > > Steve Bremer > NEBCO, Inc. > System & Security Administrator > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > I can confirm this behavior. On my production mail servers we have seen a lot of messages that meet the criteria you stated above. I think there are some mail clients out there that are resending the message but removing the file attachment. I've also seen quite a few messages that have what appears to be a truncated version of the malicious attachment or a replacement all-together (which contains a few lines of some random character strings). All told, in the last 4 hours we've 'quarantined' ~20,000 SoBig emails. --Ben
Powered by blists - more mailing lists