'Empty' zip files?

Julian Field mailscanner at ecs.soton.ac.uk
Wed Aug 11 16:54:41 IST 2004

At 16:16 11/08/2004, you wrote:
>Am I the only one seeing these 'empty' attachments in the quarantine dir 
>but a considerable payload in the df file?

Can you put one qf/df pair on a web site I can get at please, and mail me 
the URL off-list?

>On Mon, 9 Aug 2004, Remco Barendse wrote:
>>I don't know really :)
>>I think it is MailScanner that converted the filename that came with the
>>email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip
>>What worries me more is that the e-mail does seem to have some sort of 
>>payload for the attachment but mailscanner apparently is unable to 
>>decode/scan it properly. This means that if my filename rules would not 
>>have stopped the mail, MailScanner would have considered the e-mail as 
>>harmless (empty zip file and zips are allowed) and would have delivered 
>>the message.
>>Not sure what is causing this behaviour, maybe the mime decoder is not 
>>able to decode the attachment properly which passes the 0 size attachment 
>>to MailScanner.
>>I still have the df/qf pair if anyone is interested :)
>>On Mon, 9 Aug 2004, Alex Neuman wrote:
>>>This message in particular "tripped" Norton Antivirus 2004 for Windows.
>>>Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the antivirus pop
>>>up and say it found something since I installed MS so many months ago.
>>>I usually have to get rid of the "catch all double extensions" rule because
>>>of clients who insist on being able to name their files whatever they want;
>>>I guess this means I'll have to use rules to disallow "dot + three
>>>characters + dot zip"...
>>>-----Original Message-----
>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>>>Of Remco Barendse
>>>Sent: Monday, August 09, 2004 4:42 AM
>>>Subject: 'Empty' zip files?
>>>Guess this is slightly off-topic but we are getting viruses with a zipfile
>>>(in the form of usernamemydomainname.com.zip)
>>>MailScanner traps these zip files because of filename rules. The strange
>>>thing is however that MS is just reporting a filename problem and no
>>>virus name. The zip file in /var/spool/MailScanner/quarantine has a file
>>>size of 0 (that would explain why no virus was reported) but I think the
>>>zip file may not be 0 size on every client.
>>>When I look into the df/qf pair there is a considerable amount of
>>>data in it that would be for the attachment.
>>>Could there be something wrong with the mime decoder and would M$ Outlook
>>>be able to decode it properly (which would potentially mean that we would
>>>be vulnerable to the virus?
>>>I will paste the top part of the df file here:
>>>This is a multi-part message in MIME format.
>>>Content-Type: text/plain;
>>>        charset=us-ascii
>>>Content-Transfer-Encoding: base64
>>>-------------------------- MailScanner list ----------------------
>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>Before posting, please see the Most Asked Questions at
>>>http: //www.mailscanner.biz/maq/     and the archives at
>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html
>-------------------------- MailScanner list ----------------------
>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/     and the archives at

Julian Field
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).


More information about the MailScanner mailing list