'Empty' zip files?

Julian Field mailscanner at ecs.soton.ac.uk
Fri Aug 13 11:22:51 IST 2004

The message says it is encoded as 7-bit, when it clearly isn't (it's 8 bit).
The attachment says it is Base64 encoded, when it isn't (all the line 
lengths are totally wrong).

At 11:04 13/08/2004, you wrote:
>This is the url, i just tarred and gzipped the files as they appear in the 
>quarantine dir.
>On Wed, 11 Aug 2004, Julian Field wrote:
>>At 16:16 11/08/2004, you wrote:
>>>Am I the only one seeing these 'empty' attachments in the quarantine dir 
>>>but a considerable payload in the df file?
>>Can you put one qf/df pair on a web site I can get at please, and mail me 
>>the URL off-list?
>>>On Mon, 9 Aug 2004, Remco Barendse wrote:
>>>>I don't know really :)
>>>>I think it is MailScanner that converted the filename that came with the
>>>>email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip
>>>>What worries me more is that the e-mail does seem to have some sort of 
>>>>payload for the attachment but mailscanner apparently is unable to 
>>>>decode/scan it properly. This means that if my filename rules would not 
>>>>have stopped the mail, MailScanner would have considered the e-mail as 
>>>>harmless (empty zip file and zips are allowed) and would have delivered 
>>>>the message.
>>>>Not sure what is causing this behaviour, maybe the mime decoder is not 
>>>>able to decode the attachment properly which passes the 0 size 
>>>>attachment to MailScanner.
>>>>I still have the df/qf pair if anyone is interested :)
>>>>On Mon, 9 Aug 2004, Alex Neuman wrote:
>>>>>This message in particular "tripped" Norton Antivirus 2004 for Windows.
>>>>>Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the 
>>>>>antivirus pop
>>>>>up and say it found something since I installed MS so many months ago.
>>>>>I usually have to get rid of the "catch all double extensions" rule 
>>>>>of clients who insist on being able to name their files whatever they 
>>>>>I guess this means I'll have to use rules to disallow "dot + three
>>>>>characters + dot zip"...
>>>>>-----Original Message-----
>>>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
>>>>>Of Remco Barendse
>>>>>Sent: Monday, August 09, 2004 4:42 AM
>>>>>Subject: 'Empty' zip files?
>>>>>Guess this is slightly off-topic but we are getting viruses with a zipfile
>>>>>(in the form of usernamemydomainname.com.zip)
>>>>>MailScanner traps these zip files because of filename rules. The strange
>>>>>thing is however that MS is just reporting a filename problem and no
>>>>>virus name. The zip file in /var/spool/MailScanner/quarantine has a file
>>>>>size of 0 (that would explain why no virus was reported) but I think the
>>>>>zip file may not be 0 size on every client.
>>>>>When I look into the df/qf pair there is a considerable amount of
>>>>>data in it that would be for the attachment.
>>>>>Could there be something wrong with the mime decoder and would M$ Outlook
>>>>>be able to decode it properly (which would potentially mean that we would
>>>>>be vulnerable to the virus?
>>>>>I will paste the top part of the df file here:
>>>>>This is a multi-part message in MIME format.
>>>>>Content-Type: text/plain;
>>>>>        charset=us-ascii
>>>>>Content-Transfer-Encoding: base64
>>>>>-------------------------- MailScanner list ----------------------
>>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>>>Before posting, please see the Most Asked Questions at
>>>>>http: //www.mailscanner.biz/maq/     and the archives at
>>>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html
>>>-------------------------- MailScanner list ----------------------
>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>Before posting, please see the Most Asked Questions at
>>>http: //www.mailscanner.biz/maq/     and the archives at
>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html

Julian Field
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).


More information about the MailScanner mailing list