'Empty' zip files?

Remco Barendse mailscanner at BARENDSE.TO
Mon Aug 9 14:20:31 IST 2004


<x-flowed>
I don't know really :)

I think it is MailScanner that converted the filename that came with the
email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip

What worries me more is that the e-mail does seem to have some sort of 
payload for the attachment but mailscanner apparently is unable to 
decode/scan it properly. This means that if my filename rules would not 
have stopped the mail, MailScanner would have considered the e-mail as 
harmless (empty zip file and zips are allowed) and would have delivered 
the message.

Not sure what is causing this behaviour, maybe the mime decoder is not 
able to decode the attachment properly which passes the 0 size 
attachment to MailScanner.

I still have the df/qf pair if anyone is interested :)



On Mon, 9 Aug 2004, Alex Neuman wrote:

> This message in particular "tripped" Norton Antivirus 2004 for Windows.
> Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the antivirus pop
> up and say it found something since I installed MS so many months ago.
>
> I usually have to get rid of the "catch all double extensions" rule because
> of clients who insist on being able to name their files whatever they want;
> I guess this means I'll have to use rules to disallow "dot + three
> characters + dot zip"...
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
> Of Remco Barendse
> Sent: Monday, August 09, 2004 4:42 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: 'Empty' zip files?
>
> Guess this is slightly off-topic but we are getting viruses with a zipfile
> (in the form of usernamemydomainname.com.zip)
>
> MailScanner traps these zip files because of filename rules. The strange
> thing is however that MS is just reporting a filename problem and no
> virus name. The zip file in /var/spool/MailScanner/quarantine has a file
> size of 0 (that would explain why no virus was reported) but I think the
> zip file may not be 0 size on every client.
>
> When I look into the df/qf pair there is a considerable amount of
> data in it that would be for the attachment.
>
> Could there be something wrong with the mime decoder and would M$ Outlook
> be able to decode it properly (which would potentially mean that we would
> be vulnerable to the virus?
>
> I will paste the top part of the df file here:
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0005_653AB3AB.01F72A06
> Content-Type: text/plain;
>         charset=us-ascii
> Content-Transfer-Encoding: base64
>
> RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
> c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
> cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
> bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
> IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
> a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
> cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
> NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
> cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
> Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
> b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
> eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
> bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
> amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>



More information about the MailScanner mailing list