From: Alex van den Bogaerdt (alexergens.op.het.net)
Date: Thu Mar 11 2004 - 05:14:31 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 11, 2004 at 10:28:49AM +0100, Chris Schoenbaechler wrote:

> Subject says all: Is there a way to reliable block
> passworded ZIP Files at Postfix Level? We dont want to block all
> ZIP files in general.

I've done some research and I found a helpfull whitepaper from pkware.
http://www.pkware.com/products/enterprise/white_papers/appnote.html#2a

Bit 0 in the general purpose bit flag word is set when it is an
encrypted zip file. This is, counting from zero, in bytes 6 and 7.

For every three bytes of data, mime encoding uses four characters.
bytes 6,7 and 8 will be in characters eight upto and including eleven.

Earlier work seen:
 UEsDBAoAAAAA <= Matches unencrypted ZIP file
 UEsDBAoAAQAA <= Matches encrypted version.

UEsD: equivalent of 50 4B 03
BAoA: equivalent of 04 0A 00
AQAA: equivalent of 01 00 00

A zip file should start with 50 4B 03 04. Then there are four bytes
that can (and will, in some future virus) change. One of the bits in
those bytes needs to be matched.
                                        
 UEsDB fixed
      A two bits fixed, four bits random
       oAA all bits random
          Q one bit fixed, 5 bits random

Using the base64 alphabet I think we can define ranges for those
random bits. This means the following pattern should work. Not
yet tested, standard disclaimer etc:

/^UEsDB[A-P][A-Za-z0-9+\/]{3}[Q-Za-fw-z0-9+\/][A-Za-z0-9+\/]{30}/i HOLD

I would appreciate it if others can confirm, or correct, this pattern.
I'm going to give it a try (with HOLD in stead of DISCARD just to be sure)

regards,
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]