Questions...

Rob Poe rpoe at PLATTESHERIFF.ORG
Wed Mar 24 17:14:02 GMT 2004


Well, it looks as though F-Prot for Linux isn't catching the
unpassworded ones...

I installed ClamAV and it detected ...

Looks like someone's going to switch (me).



>>> Kevin.Spicer at BMRB.CO.UK 3/24/2004 11:10:08 AM >>>
Julian Field wrote:
> There are whole rafts of Denial of Service attacks that can be
> launched this way, I am very wary of unpacking anything unless I
> really need to. But using the file command to find zip files instead
> of looking at the name is not a bad idea. It would be slower though
> as it would need to be run on every message batch. Let me have a
> think and see if I can make it do it as part of the filetype
trapping
> code, so the overhead would be minimal.
>
> And then there is the chicken and egg situation Kevin has
> just mentioned...

Just looking through the magic file that the file command uses it may
be fairly trivial to spot zip files without running the file command.
It seems the first four bytes are PK\003\004 the following byte
represents the version number currently 0x09 0x0a 0x0b or 0x14 (versions
0.9, 1.0, 1.1 and 2.0 respectively - it seems the byte value is the
version number x 10).

Anyway my point is that zip files could be spotted by looking at the
first 4 or 5 bytes of the file.



BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.



More information about the MailScanner mailing list