Questions...

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Wed Mar 24 17:10:08 GMT 2004


Julian Field wrote:
> There are whole rafts of Denial of Service attacks that can be
> launched this way, I am very wary of unpacking anything unless I
> really need to. But using the file command to find zip files instead
> of looking at the name is not a bad idea. It would be slower though
> as it would need to be run on every message batch. Let me have a
> think and see if I can make it do it as part of the filetype trapping
> code, so the overhead would be minimal. 
> 
> And then there is the chicken and egg situation Kevin has
> just mentioned...

Just looking through the magic file that the file command uses it may be fairly trivial to spot zip files without running the file command.  It seems the first four bytes are PK\003\004 the following byte represents the version number currently 0x09 0x0a 0x0b or 0x14 (versions 0.9, 1.0, 1.1 and 2.0 respectively - it seems the byte value is the version number x 10).

Anyway my point is that zip files could be spotted by looking at the first 4 or 5 bytes of the file.



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




More information about the MailScanner mailing list