'Empty' zip files?
Julian Field
mailscanner at ecs.soton.ac.uk
Wed Aug 11 16:54:41 IST 2004
<x-flowed>
At 16:16 11/08/2004, you wrote:
>Am I the only one seeing these 'empty' attachments in the quarantine dir
>but a considerable payload in the df file?
Can you put one qf/df pair on a web site I can get at please, and mail me
the URL off-list?
>Cheers!
>Remco
>
>
>On Mon, 9 Aug 2004, Remco Barendse wrote:
>
>>I don't know really :)
>>
>>I think it is MailScanner that converted the filename that came with the
>>email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip
>>
>>What worries me more is that the e-mail does seem to have some sort of
>>payload for the attachment but mailscanner apparently is unable to
>>decode/scan it properly. This means that if my filename rules would not
>>have stopped the mail, MailScanner would have considered the e-mail as
>>harmless (empty zip file and zips are allowed) and would have delivered
>>the message.
>>
>>Not sure what is causing this behaviour, maybe the mime decoder is not
>>able to decode the attachment properly which passes the 0 size attachment
>>to MailScanner.
>>
>>I still have the df/qf pair if anyone is interested :)
>>
>>
>>
>>On Mon, 9 Aug 2004, Alex Neuman wrote:
>>
>>>This message in particular "tripped" Norton Antivirus 2004 for Windows.
>>>Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the antivirus pop
>>>up and say it found something since I installed MS so many months ago.
>>>I usually have to get rid of the "catch all double extensions" rule because
>>>of clients who insist on being able to name their files whatever they want;
>>>I guess this means I'll have to use rules to disallow "dot + three
>>>characters + dot zip"...
>>>-----Original Message-----
>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>>>Of Remco Barendse
>>>Sent: Monday, August 09, 2004 4:42 AM
>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>Subject: 'Empty' zip files?
>>>Guess this is slightly off-topic but we are getting viruses with a zipfile
>>>(in the form of usernamemydomainname.com.zip)
>>>MailScanner traps these zip files because of filename rules. The strange
>>>thing is however that MS is just reporting a filename problem and no
>>>virus name. The zip file in /var/spool/MailScanner/quarantine has a file
>>>size of 0 (that would explain why no virus was reported) but I think the
>>>zip file may not be 0 size on every client.
>>>When I look into the df/qf pair there is a considerable amount of
>>>data in it that would be for the attachment.
>>>Could there be something wrong with the mime decoder and would M$ Outlook
>>>be able to decode it properly (which would potentially mean that we would
>>>be vulnerable to the virus?
>>>I will paste the top part of the df file here:
>>>This is a multi-part message in MIME format.
>>>------=_NextPart_000_0005_653AB3AB.01F72A06
>>>Content-Type: text/plain;
>>> charset=us-ascii
>>>Content-Transfer-Encoding: base64
>>>RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
>>>c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
>>>cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
>>>bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
>>>IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
>>>a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
>>>cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
>>>NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
>>>cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
>>>Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
>>>b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
>>>eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
>>>bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
>>>amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
>>>-------------------------- MailScanner list ----------------------
>>>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
>>>Before posting, please see the Most Asked Questions at
>>>http: //www.mailscanner.biz/maq/ and the archives at
>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html
>
>-------------------------- MailScanner list ----------------------
>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/ and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>
More information about the MailScanner
mailing list