'Empty' zip files?

Remco Barendse mailscanner at BARENDSE.TO
Sat Aug 14 07:08:11 IST 2004


<x-flowed>
But does this mean that some ignorant mail clients (like OutLooK) would 
not be able to decode the attachment either?

Or should some sort of check be implemented for such undecodable 
attachments that the mail is not let through if such errors occur?

These mails are spreading so i guess some clients must be able to decode 
and open them

On Fri, 13 Aug 2004, Julian Field wrote:

> The message says it is encoded as 7-bit, when it clearly isn't (it's 8 bit).
> The attachment says it is Base64 encoded, when it isn't (all the line lengths 
> are totally wrong).
>
> At 11:04 13/08/2004, you wrote:
>> Hi!
>> 
>> This is the url, i just tarred and gzipped the files as they appear in the 
>> quarantine dir.
>> 
>> http://www.ecem.it/virus.tar.gz
>> 
>> Thanks!!
>> Remco
>> 
>> 
>> On Wed, 11 Aug 2004, Julian Field wrote:
>> 
>>> At 16:16 11/08/2004, you wrote:
>>>> Am I the only one seeing these 'empty' attachments in the quarantine dir 
>>>> but a considerable payload in the df file?
>>> 
>>> Can you put one qf/df pair on a web site I can get at please, and mail me 
>>> the URL off-list?
>>> 
>>> 
>>>> Cheers!
>>>> Remco
>>>> 
>>>> On Mon, 9 Aug 2004, Remco Barendse wrote:
>>>> 
>>>>> I don't know really :)
>>>>> I think it is MailScanner that converted the filename that came with the
>>>>> email (user at domain.com.zip) to a 'normal' filename like 
>>>>> userdomain.com.zip
>>>>> What worries me more is that the e-mail does seem to have some sort of 
>>>>> payload for the attachment but mailscanner apparently is unable to 
>>>>> decode/scan it properly. This means that if my filename rules would not 
>>>>> have stopped the mail, MailScanner would have considered the e-mail as 
>>>>> harmless (empty zip file and zips are allowed) and would have delivered 
>>>>> the message.
>>>>> Not sure what is causing this behaviour, maybe the mime decoder is not 
>>>>> able to decode the attachment properly which passes the 0 size 
>>>>> attachment to MailScanner.
>>>>> I still have the df/qf pair if anyone is interested :)
>>>>> 
>>>>> On Mon, 9 Aug 2004, Alex Neuman wrote:
>>>>> 
>>>>>> This message in particular "tripped" Norton Antivirus 2004 for Windows.
>>>>>> Scared the #@Ñ/)/!! out of me, since I haven't *ever* seen the 
>>>>>> antivirus pop
>>>>>> up and say it found something since I installed MS so many months ago.
>>>>>> I usually have to get rid of the "catch all double extensions" rule 
>>>>>> because
>>>>>> of clients who insist on being able to name their files whatever they 
>>>>>> want;
>>>>>> I guess this means I'll have to use rules to disallow "dot + three
>>>>>> characters + dot zip"...
>>>>>> -----Original Message-----
>>>>>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
>>>>>> Behalf
>>>>>> Of Remco Barendse
>>>>>> Sent: Monday, August 09, 2004 4:42 AM
>>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>> Subject: 'Empty' zip files?
>>>>>> Guess this is slightly off-topic but we are getting viruses with a 
>>>>>> zipfile
>>>>>> (in the form of usernamemydomainname.com.zip)
>>>>>> MailScanner traps these zip files because of filename rules. The 
>>>>>> strange
>>>>>> thing is however that MS is just reporting a filename problem and no
>>>>>> virus name. The zip file in /var/spool/MailScanner/quarantine has a 
>>>>>> file
>>>>>> size of 0 (that would explain why no virus was reported) but I think 
>>>>>> the
>>>>>> zip file may not be 0 size on every client.
>>>>>> When I look into the df/qf pair there is a considerable amount of
>>>>>> data in it that would be for the attachment.
>>>>>> Could there be something wrong with the mime decoder and would M$ 
>>>>>> Outlook
>>>>>> be able to decode it properly (which would potentially mean that we 
>>>>>> would
>>>>>> be vulnerable to the virus?
>>>>>> I will paste the top part of the df file here:
>>>>>> This is a multi-part message in MIME format.
>>>>>> ------=_NextPart_000_0005_653AB3AB.01F72A06
>>>>>> Content-Type: text/plain;
>>>>>>        charset=us-ascii
>>>>>> Content-Transfer-Encoding: base64
>>>>>> RGVhciB1c2VyIG9mIHh4eC5jb20sDQoNCllvdXIgZW1haWwgYWNjb3VudCBoYXMgYmVlbiB1
>>>>>> c2VkIHRvIHNlbmQgYSBodWdlIGFtb3VudCBvZiBzcGFtIG1lc3NhZ2VzDQpkdXJpbmcgdGhp
>>>>>> cyB3ZWVrLg0KV2Ugc3VzcGVjdCB0aGF0IHlvdXIgY29tcHV0ZXIgaGFkIGJlZW4gY29tcHJv
>>>>>> bWlzZWQgYW5kIG5vdyBydW5zIGEgdHJvamFuZWQNCnByb3h5IHNlcnZlci4NCg0KUGxlYXNl
>>>>>> IGZvbGxvdyBpbnN0cnVjdGlvbnMgaW4gdGhlIGF0dGFjaGVkIGZpbGUgaW4gb3JkZXIgdG8g
>>>>>> a2VlcCB5b3VyDQpjb21wdXRlciBzYWZlLg0KDQpCZXN0IHdpc2hlcywNCnh4eC5jb20gc3Vw
>>>>>> cG9ydCB0ZWFtLg0KDQoNCi0tLS0tLT1fTmV4dFBhcnRfMDAwXzAwMDVfNjUzQUIzQUIuMDFG
>>>>>> NzJBMDYNCkNvbnRlbnQtVHlwZTogcGxhaW4vdGV4dDsNCgluYW1lPSJOb3J0b24gQW50aVZp
>>>>>> cnVzIERlbGV0ZWQxLnR4dCINCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NA0K
>>>>>> Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsNCiAgICAgICAgIGZpbGVuYW1lPSJO
>>>>>> b3J0b24gQW50aVZpcnVzIERlbGV0ZWQxLnR4dCINCg0KVG05eWRHOXVJRUZ1ZEdsV2FYSjFj
>>>>>> eUJ5WlcxdmRtVmtJSFJvWlNCaGRIUmhZMmh0Wlc1ME9pQjFjMlZ5UUhoNGVDNWpiMjB1DQpl
>>>>>> bWx3TGcwS1ZHaGxJRmN6TWk1TmVXUnZiMjB1VFVCdGJTQjBhSEpsWVhRZ2QyRnpJR1JsZEdW
>>>>>> amRHVmtJR2x1SUhSb1pTQmgNCmRIUmhZMmh0Wlc1MExnPT0NCg==
>>>>>> -------------------------- MailScanner list ----------------------
>>>>>> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>>>> Before posting, please see the Most Asked Questions at
>>>>>> http: //www.mailscanner.biz/maq/     and the archives at
>>>>>> http: //www.jiscmail.ac.uk/lists/mailscanner.html
>>>> -------------------------- MailScanner list ----------------------
>>>> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
>>>> Before posting, please see the Most Asked Questions at
>>>> http: //www.mailscanner.biz/maq/     and the archives at
>>>> http: //www.jiscmail.ac.uk/lists/mailscanner.html
>>> 
>>> </x-flowed>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list