Guess what.... 4.28.4

Matt Laney mdlaney at MOREHOUSE.EDU
Thu Mar 4 14:13:00 GMT 2004


Spicer, Kevin responded to Plant, Dean...

> > [DP] But users are not notified of inbound password protected zips. With
> > other blocked file types users are notified correctly.
> >
> > I also am unable to release any quarantined password protected zips
> > from Mailwatch as it is marked as a virus and not a blocked file.
> >
> > Have I understood the Non-Forging setting correctly?
>
> [KS] That is what Julian suggested he might do for the next/ a future
> release however that is not the behaviour yet

I haven't tried this, but might the desired behaviour be approximated
by using filetype checking to pick out ZIP files of version 1.0 (see
previous discussion about MIT, etc.)?  My file command (version 4.07)
shows the following on one bad and one OK ZIP:

        Text.zip:   Zip archive data, at least v1.0 to extract
        fine.zip:   Zip archive data, at least v2.0 to extract

(The first one's the Bagle virus.)

A quick scan through the magic file shows that the ZIP line is the only
place "v1.0" appears as an isolated word.

Could one make a filetype entry like this

        deny    " v1.0 "        No v1.0 ZIP archives, possible Bagle    ditto

in filetype.rules.conf and use filetype checking to get these?  It doesn't
sound efficient, but might it work?

I'm not sure what else might use v1.0 ZIP archives, but the MIT guys
seem to think that not much does.


-Matt


--
Matt Laney, mdlaney at morehouse.edu
Director of Network Services
Morehouse College; Atlanta, GA, USA



More information about the MailScanner mailing list