'Empty' zip files?

Julian Field mailscanner at ecs.soton.ac.uk
Fri Aug 13 11:22:51 IST 2004 

<x-flowed>
The message says it is encoded as 7-bit, when it clearly isn't (it's 8 bit).
The attachment says it is Base64 encoded, when it isn't (all the line 
lengths are totally wrong).

At 11:04 13/08/2004, you wrote:
>Hi!
>
>This is the url, i just tarred and gzipped the files as they appear in the 
>quarantine dir.
>
>http://www.ecem.it/virus.tar.gz
>
>Thanks!!
>Remco
>
>
>On Wed, 11 Aug 2004, Julian Field wrote:
>
>>At 16:16 11/08/2004, you wrote:
>>>Am I the only one seeing these 'empty' attachments in the quarantine dir 
>>>but a considerable payload in the df file?
>>
>>Can you put one qf/df pair on a web site I can get at please, and mail me 
>>the URL off-list?
>>
>>
>>>Cheers!
>>>Remco
>>>
>>>On Mon, 9 Aug 2004, Remco Barendse wrote:
>>>
>>>>I don't know really :)
>>>>I think it is MailScanner that converted the filename that came with the
>>>>email (user at domain.com.zip) to a 'normal' filename like userdomain.com.zip
>>>>What worries me more is that the e-mail does seem to have some sort of 
>>>>payload for the attachment but mailscanner apparently is unable to 
>>>>decode/scan it properly. This means that if my filename rules would not 
>>>>have stopped the mail, MailScanner would have considered the e-mail as 
>>>>harmless (empty zip file and zips are allowed) and would have delivered 
>>>>the message.
>>>>Not sure what is causing this behaviour, maybe the mime decoder is not 
>>>>able to decode the attachment properly which passes the 0 size 
>>>>attachment to MailScanner.
>>>>I still have the df/qf pair if anyone is interested :)
>>>>
>>>>On Mon, 9 Aug 2004, Alex Neuman wrote:
>>>>
>>>>>This message in particular "tripped" Norton Antivirus 2004 for Windows.
>>>>>Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the 
>>>>>antivirus pop
>>>>>up and say it found something since I installed MS so many months ago.
>>>>>I usually have to get rid of the "catch all double extensions" rule 
>>>>>because
>>>>>of clients who insist on being able to name their files whatever they 
>>>>>want;
>>>>>I guess this means I'll have to use rules to disallow "dot + three
>>>>>characters + dot zip"...
>>>>>-----Original Message-----
>>>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
>>>>>Behalf
>>>>>Of Remco Barendse
>>>>>Sent: Monday, August 09, 2004 4:42 AM
>>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>Subject: 'Empty' zip files?
>>>>>Guess this is slightly off-topic but we are getting viruses with a zipfile
>>>>>(in the form of usernamemydomainname.com.zip)
>>>>>MailScanner traps these zip files because of filename rules. The strange
>>>>>thing is however that MS is just reporting a filename problem and no
>>>>>virus name. The zip file in /var/spool/MailScanner/quarantine has a file
>>>>>size of 0 (that would explain why no virus was reported) but I think the
>>>>>zip file may not be 0 size on every client.
>>>>>When I look into the df/qf pair there is a considerable amount of
>>>>>data in it that would be for the attachment.
>>>>>Could there be something wrong with the mime decoder and would M$ Outlook
>>>>>be able to decode it properly (which would potentially mean that we would
>>>>>be vulnerable to the virus?
>>>>>I will paste the top part of the df file here:
>>>>>This is a multi-part message in MIME format.
>>>>>------=_NextPart_000_0005_653AB3AB.01F72A06
>>>>>Content-Type: text/plain;
>>>>>        charset=us-ascii
>>>>>Content-Transfer-Encoding: base64
>>>>>RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
>>>>>c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
>>>>>cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
>>>>>bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
>>>>>IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
>>>>>a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
>>>>>cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
>>>>>NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
>>>>>cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
>>>>>Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
>>>>>b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
>>>>>eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
>>>>>bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
>>>>>amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
>>>>>-------------------------- MailScanner list ----------------------
>>>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>>>Before posting, please see the Most Asked Questions at
>>>>>http: //www.mailscanner.biz/maq/     and the archives at
>>>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html
>>>-------------------------- MailScanner list ----------------------
>>>To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>Before posting, please see the Most Asked Questions at
>>>http: //www.mailscanner.biz/maq/     and the archives at
>>>http: //www.jiscmail.ac.uk/lists/mailscanner.html
>>
>></x-flowed>

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

</x-flowed>

More information about the MailScanner mailing list