DOS and Oversized Zip

[Rick Cooper]

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of MailScanner Mailbox
> Sent: Monday, February 23, 2004 1:11 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: DOS and Oversized Zip
>
>
> Hello All
>
> I think that this may be a clamav problem rather then
> a mailscanner
> problem but I am not 100% sure. I am running
> MailScanner 4.22-4 and clamav
> 0.67.
>
> It seems that recently I am getting many many emails
> turned away with the
> message "Denial of Service attack in message!"  It
> seems to be caused by a
> zipfile that expands many times it's zipped size,
> (isn't this the purpose
> of zipping a file)?

There are ways to handcraft a zip file so it expands from a few
bytes to a couple of terabytes, used to be called "The Zip of
death". Clam allows you to restrict the compression ratio to
avoid "Zip bombs" of this nature. Imagine the problems if you
received a zip bomb that was a few hundred K compressed and a few
gig uncompressed?

>
> Anyways, there is some info I googled that mentions
> editing the scanners.c
> file (specifically "ZIPOSDET") to increase the value.
> I don't see that
> option available in clamav 0.67 so perhaps it is
> something I can set
> within the mailscanner config file?
>
> I have confirmed that the file being sent is a zip
> file containing 3 txt
> files (one of them is 5mb) and it compresses down to 220kb.
>
> Any and all help concerning this is most appreciated.
>

look in your clamav.conf file for:

# Mark potential archive bombs as viruses (0 disables the limit)
ArchiveMaxCompressionRatio 200

and set it to what you think appropriate for your system. If it's
not there add it.