Questions...

Julian Field mailscanner at ecs.soton.ac.uk
Wed Mar 24 18:06:58 GMT 2004


At 17:10 24/03/2004, you wrote:
>Julian Field wrote:
> > There are whole rafts of Denial of Service attacks that can be
> > launched this way, I am very wary of unpacking anything unless I
> > really need to. But using the file command to find zip files instead
> > of looking at the name is not a bad idea. It would be slower though
> > as it would need to be run on every message batch. Let me have a
> > think and see if I can make it do it as part of the filetype trapping
> > code, so the overhead would be minimal.
> >
> > And then there is the chicken and egg situation Kevin has
> > just mentioned...
>
>Just looking through the magic file that the file command uses it may be
>fairly trivial to spot zip files without running the file command.  It
>seems the first four bytes are PK\003\004 the following byte represents
>the version number currently 0x09 0x0a 0x0b or 0x14 (versions 0.9, 1.0,
>1.1 and 2.0 respectively - it seems the byte value is the version number x 10).
>
>Anyway my point is that zip files could be spotted by looking at the first
>4 or 5 bytes of the file.

I don't particularly like the idea of duplicating "file"s job, it smacks of
ugliness.
But it may turn out to be the easiest way to go.
Hopefully the PK^C^D sequence won't change.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list