FW: Re: dw_sta.zip

Julian Field jkf at ecs.soton.ac.uk
Wed Oct 3 09:20:58 IST 2001

At 09:02 03/10/2001, you wrote:
>Could Mailscanner provide a configurable option that would limit the
>size to which an attachment can expand? This would be an addition to the
>timeout controls.

The zip and other archive expansion is done by the commercial virus
checker, so it's down to them to impose limits like this. I don't actually
unpack the zip file at all, I leave the job to the commercial checkers
(which can all do it).

>-----Original Message-----
>From: Dennis Davis [mailto:D.H.Davis at BATH.AC.UK]
>Sent: 02 October 2001 16:43
>Subject: Re: dw_sta.zip
> >Date:         Tue, 2 Oct 2001 15:54:30 +0100
> >Sender:       UK Security <UK-SECURITY at jiscmail.ac.uk>
> >From:         Simon Baker <s.baker at ukerna.ac.uk>
> >Subject:      Re: dw_sta.zip
> >To:           UK-SECURITY at jiscmail.ac.uk
> >
> >At 15:32 02/10/01 +0100, you wrote:
> >>The other thing to watch for are "zip of death" files that either
> >>unpack ad infinitum (to many 100's of terabytes if allowed), or that
> >>loop while producing no output.
> >
> >Yeah, dd if=/dev/zero of=myhugefile can create these.... gzip -9'ing
> >them gets them down to a *v* small size, using a block sorting
> >algorithm compressor such as bzip2 can provide amazing results...
> >
> >e.g.
> >c0ke# dd if=/dev/zero of=112M bs=512 count=229500
> >229500+0 records in
> >229500+0 records out
> >117504000 bytes transferred in 49 secs (2398040 bytes/sec) c0ke# bzip2
> >112M
> >bzip2: --repetitive-best is redundant in versions 0.9.5 and above
> >   112M:
> >     block 1: crc = 0x e09e2df, combined CRC = 0x e09e2df, size =
> >     too repetitive; using fallback sorting algorithm
> >     block 2: crc = 0x e09e2df, combined CRC = 0x121a2761, size =
> >     too repetitive; using fallback sorting algorithm
> >     block 3: crc = 0x8796ae9b, combined CRC = 0xa3a2e059, size =
> >     too repetitive; using fallback sorting algorithm
> >     final combined CRC = 0xa3a2e059
> >    1068218.182:1,  0.000 bits/byte, 100.00% saved, 117504000 in, 110
> >out. c0ke# ll 112M.bz2
> >-rw-r--r--  1 root  wheel  110 Oct  2 15:48 112M.bz2
> >
> >
> >So, 110bytes isn't too bad... is it?!?!?!
>Quite.  An ex-colleague, Mark Hindess, and I were discussing this
>problems about a year or more ago.  The example that Mark came up with
>dd if=/dev/zero bs=1048576 count=1024|bzip2 >1gigunpacked.bz2
>This produces a compressed file of just some 785 bytes which expands to
>a gigabyte of zeroes on disc.
>Chaos can result if a devious mutant throws such a file at a mail server
>which attempts to exand all email and scan it for viruses. You can
>almost hear the solids hitting the air-conditioning :-(
>Fortunately help is at hand.  Dan Bernstein has a nifty little program,
>softlimit, which is part of his daemontools package.  Just run your file
>expansion under the control of softlimit.  And set the output file size
>limit to a suitable multiple of the input file size.  A multiplier of 50
>or so should be more than generous for "normal" files.
>The above may, of course, let through a few carefully contrived or
>pathological examples.  And then possibly blow up an unfortunate user.
>But that's preferable to blowing up a much-prized mail server...
>UK-Security is a closed mailing list for the discussion of issues
>relating to computer security. A related list, uk-security-announce,
>receives only the announcements sent to this list by JANET-CERT, and not
>the discussion.
>Subscribers may unsubscribe from the uk-security list by sending mail to
>JISCMAIL at JISCMAIL.AC.UK with leave uk-security as the *body* of the
>Questions about list policies should be sent to
>UK-SECURITY-REQUEST at JISCMAIL.AC.UK, NOT to the list address. ====

Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list