On August 20, 7:09 am "Steve Bremer" <[EMAIL PROTECTED]> wrote: > > line). But it seems to be broken in other areas, I think I'm getting > > We've noticed a few problems with it as well. We've received a few e- > mails with one of the typical Sobig subject lines, only no > attachment. The attachment headers are in the e-mail, so our MUA > thinks there is an attachment, but there is just no "body" to the > attachment. > > Either there are a few broken variants out there sending out e-mail > without the payload, or something in-between us and the sender is > stripping out the attachment. It isn't our AV system, since it would > quarantine the entire message. > > Has anyone else experienced this? > > Steve Bremer > NEBCO, Inc. > System & Security Administrator > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
I can confirm this behavior. On my production mail servers we have seen a lot of messages that meet the criteria you stated above. I think there are some mail clients out there that are resending the message but removing the file attachment. I've also seen quite a few messages that have what appears to be a truncated version of the malicious attachment or a replacement all-together (which contains a few lines of some random character strings). All told, in the last 4 hours we've 'quarantined' ~20,000 SoBig emails. --Ben _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
