Zero-length attachments

[Dan Farmer]

I had quite a few damaged copies of Sobig.F come through which were not
the normal size of Sobig, nor were they 0 bytes either. Since I was
blocking subject lines, the only ones that got through to the virus
scanner were usually bounced copies with a subject like 'Returned mail:
undeliverable user unknown', so it could be that the mail daemon was
responsible for truncating the virus. I did also get 0 byte copies as
well.

The undamaged viruses were caught by clamav, the damaged ones were
stripped by the filename checks not clamav, and the 0 byte ones were
stripped by filename checks as well. What exactly would be the point of
allowing the 0 byte version of a virus through?

I understand your point that it would be very hard for a 0 byte file to
be harmful, but it just feels wrong to tell users all .exe files will
be blocked, and then allow a 0 byte attachment named patch.exe to come
through in an email that to most users looks like a perfectly
legitimate email from Microsoft.

Dan

On Wednesday, October 1, 2003, at 02:22  PM, Antony Stone wrote:

> Also, in the example I gave of Sobig.F, where sometimes the virus
> doesn't
> propagate correctly, and ends up sending a zero-byte file instead of a
> virus,
> I'm not aware of "near-misses", where one byte gets sent, or two
> bytes, etc.
> It's either zero, or a virus.