ZIP file attachment not recognized and therefore no file check performed

Wed Oct 16 15:29:01 IST 2013

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Tony Larco
> Sent: Wednesday, October 16, 2013 8:31 AM
> To: mailscanner at lists.mailscanner.info
> Subject: ZIP file attachment not recognized and therefore no file check
> performed
>
> I apologize if this has been answered in another thread.  I did spend quite some
> time poking through the archived mailing list articles, the MailScanner docs, and
> googling around, but we are just stumped and are hoping a MailScanner guru
> could enlighten us about this situation.
>
> First, we are running the following (from /usr/sbin/MailScanner -v) - This is SUSE
> Linux Enterprise Server 10 (x86_64) This is Perl version 5.008008 (5.8.8) This is
> MailScanner version 4.78.17 Using F-Prot for AV scanning
>
> High level overview - We use Barracuda's for our mail gateways that hand off to
> MailScanner before getting routed to the appropriate mail server for delivery.
> This solution has worked great for years, but last week something strange
> happened that we cannot figure out.
>
> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on score
> and not on the emails containing a virus.  Later in the day Barracuda started
> recognizing the virus so the problem was mitigated at the mail gateway, but some
> did slip by the first line of defense and were passed to MailScanner.
>
> The attachment was a zipped up EXE file, but something was unique about these
> messages.  We block ZIP and EXE files to most of our users, but our MailScanner
> instance was not acknowledging these emails contained a ZIP file and therefore
> not doing the "Filename Check".  What is very interesting is when MailScanner
> delivered the email to an invalid recipient and it was bounced back to the sender,
> MailScanner detected the existence of a ZIP file and blocked it on the way out!
> But not on the way in!  This is the heart of the issue... how can we determine why
> these messages were not interrogated while other (legit) zip files were being
> rejected at the same time?
>
> We observed these emails were encoded with windows-1251 encoding
> (http://en.wikipedia.org/wiki/Windows-1251) and the content type of the
> attachment was simply "Content Type ;"  Other than that, we did not see
> anything out of the ordinary with these emails.
>
> We tried to create a zip file of the same name as the malware and send it from
> gmail and the ZIP file was detected immediately by MailScanner, so we were not
> able to reproduce the problem strictly by name.  Now that F-prot is detecting
> this, its getting dropped for containing a virus, and we can really cannot test
> further in our production environment.  We took this into our lab, but we were
> not testing with the exact same version of MailScanner and we were not able to
> recreate the problem.  In our minds, whether MailScanner could detect the virus
> or not, it should have detected the ZIP and/or EXE and rejected it for this reason
> alone.
>
> Any information about this issue would be greatly appreciated.
> Management is now questioning the usefulness of MailScanner versus some
> commercial offering, but I believe in FOSS.  Thank you in advance for taking the
> time to read this post!
>
> Regards,
>
> Tony
>

I believe I have had the same behavior from MailScanner 4.84.3 and 4.84.5 recently. -- However, since I use ESET, it is unpacking and scanning the archives even if TNEF or other MS-related perl module is failing to do so.  The other thing I set is to not deliver password protected archives.  (I quarantine just in case someone needs one)
Can you extract the 0day executable to your Mailscanner server and run the 'file' command on it?  I wonder if the magic detection in file is failing to see it as either an executable or an archive file.

Scott

...

-- 
ImproMed LLC
--