'Empty' zip files?

Remco Barendse mailscanner at BARENDSE.TO
Wed Aug 11 16:16:25 IST 2004


<x-flowed>
Am I the only one seeing these 'empty' attachments in the quarantine dir 
but a considerable payload in the df file?

Cheers!
Remco


On Mon, 9 Aug 2004, Remco Barendse wrote:

> I don't know really :)
>
> I think it is MailScanner that converted the filename that came with the
> email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip
>
> What worries me more is that the e-mail does seem to have some sort of 
> payload for the attachment but mailscanner apparently is unable to 
> decode/scan it properly. This means that if my filename rules would not have 
> stopped the mail, MailScanner would have considered the e-mail as harmless 
> (empty zip file and zips are allowed) and would have delivered the message.
>
> Not sure what is causing this behaviour, maybe the mime decoder is not able 
> to decode the attachment properly which passes the 0 size attachment to 
> MailScanner.
>
> I still have the df/qf pair if anyone is interested :)
>
>
>
> On Mon, 9 Aug 2004, Alex Neuman wrote:
>
>> This message in particular "tripped" Norton Antivirus 2004 for Windows.
>> Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the antivirus 
>> pop
>> up and say it found something since I installed MS so many months ago.
>> 
>> I usually have to get rid of the "catch all double extensions" rule because
>> of clients who insist on being able to name their files whatever they want;
>> I guess this means I'll have to use rules to disallow "dot + three
>> characters + dot zip"...
>> 
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
>> Behalf
>> Of Remco Barendse
>> Sent: Monday, August 09, 2004 4:42 AM
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: 'Empty' zip files?
>> 
>> Guess this is slightly off-topic but we are getting viruses with a zipfile
>> (in the form of usernamemydomainname.com.zip)
>> 
>> MailScanner traps these zip files because of filename rules. The strange
>> thing is however that MS is just reporting a filename problem and no
>> virus name. The zip file in /var/spool/MailScanner/quarantine has a file
>> size of 0 (that would explain why no virus was reported) but I think the
>> zip file may not be 0 size on every client.
>> 
>> When I look into the df/qf pair there is a considerable amount of
>> data in it that would be for the attachment.
>> 
>> Could there be something wrong with the mime decoder and would M$ Outlook
>> be able to decode it properly (which would potentially mean that we would
>> be vulnerable to the virus?
>> 
>> I will paste the top part of the df file here:
>> 
>> This is a multi-part message in MIME format.
>> 
>> ------=_NextPart_000_0005_653AB3AB.01F72A06
>> Content-Type: text/plain;
>>        charset=us-ascii
>> Content-Transfer-Encoding: base64
>> 
>> RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
>> c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
>> cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
>> bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
>> IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
>> a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
>> cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
>> NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
>> cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
>> Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
>> b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
>> eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
>> bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
>> amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
>> 
>> -------------------------- MailScanner list ----------------------
>> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>> Before posting, please see the Most Asked Questions at
>> http: //www.mailscanner.biz/maq/     and the archives at
>> http: //www.jiscmail.ac.uk/lists/mailscanner.html
>> 
>

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>



More information about the MailScanner mailing list