The Paris Hilton DoS

I was going through the outbound viruses last night. Most were false positives on ESPN or CNN web pages that were pasted into an email message (the scanner didn’t like the javascript). But one was called Exploit/BigEmail. That sounded kind of interesting. First I did a search to look for AV vendors with a virus named that. It sounded to me like the vendor was stopping large messages to avoid denial of service attacks.

I checked through the logs and it turned out to be a 365 MB mail message with a file named Paris-DivX505-A.avi. It didn’t take much detective work to conclude that a user was sending out the Paris Hilton sex tape via email! (the use of that term aught to get the hit count up a bit).
I thought that was freakin hilarious. I think the lesson to be learned here is its a good idea to have a maximum message size and enforce it at all levels. Even a very large limit like 100 MB would have prevented this message from being processed by exchange, scanned by trend micro, processed by sendmail before being stopped. This could have been really bad for the infrastructure.