RE: [Incidents] Sobig.F style email with no attachments

• Previous message: Ryan McConky: "Re: ICMP port 2048 scans"
• In reply to: Rich Puhek: "Sobig.F style email with no attachments"
• Next in thread: Pete Phillips: "Re: Sobig.F style email with no attachments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Rich Puhek'" <rpuhek@etnsystems.com>, <incidents@securityfocus.com>
Date: Sat, 23 Aug 2003 14:02:01 -0700

Sounds to me like the attachments are being stripped by some av on a
mail server or gateway.

Paul Mahoney
www.fiberstarr.com

-----Original Message-----
From: Incidents-admin@fiberstarr.com
[mailto:Incidents-admin@fiberstarr.com] On Behalf Of Rich Puhek
Sent: Thursday, August 21, 2003 8:20 AM
To: incidents@securityfocus.com
Subject: [Incidents] Sobig.F style email with no attachments

I've been seeing a handful of emails that look a lot like Sobig.F (same
or similar subjects, same body), but do not contain the attachment.

Does anyone know what's going on? I'm thinking that either:

1) Someone is using similar messages to probe email accounts

2) A new version of Sobig is out (perhaps probing accounts first, then
sending the payload later?)

3) Something is broken with Sobig.F, causing it to fail to attach from
time to time.

I have several copies available if anyone is interested. I haven't
dissected the headers, etc. to look for similarities or differences with

Sobig.F messages.

--Rich

_________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel: 218.262.1130
email: rpuhek@etnsystems.com
_________________________________________________________

------------------------------------------------------------------------

---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
_______________________________________________
Incidents mailing list
Incidents@fiberstarr.com
http://neit3.vosn.net/mailman/listinfo/incidents_fiberstarr.com
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

• Previous message: Ryan McConky: "Re: ICMP port 2048 scans"
• In reply to: Rich Puhek: "Sobig.F style email with no attachments"
• Next in thread: Pete Phillips: "Re: Sobig.F style email with no attachments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]