|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
zip files was Re: [AMaViS-user] decoder for zip?
From: Covington, Chris (Chris.Covington
plusone.com)
Date: Fri Oct 07 2005 - 08:01:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Chris, did you maybe see something like this recently? I
> got a fresh new (undetected) virus last night that did this.
>
> Oct 5 18:05:42 sf8 amavis[6312]: (06312-04)
> do_executable/do_unzip failed, ignoring: format error:
> bad signature: 0x00905a4d at offset 0 in file
> /var/lib/amavis/amavis-20051005T165720-06312/parts/p004
>
> Oct 5 18:05:50 sf8 amavis[6312]: (06312-04) Blocked
> BANNED (multipart/mixed |
> application/octet-stream,.zip,pword_change.zip |
> .exe,.exe-ms,PW_Klass.Pic.packed-bitmap.exe |
> PW_Klass.Pic.packed-bitmap.exe), LOCAL [10.10.10.13]
> [213.165.64.20] <G.Steckexample.at> -> <userexample.com>,
> quarantine: bannedexample.com, Message-ID:
> <7943599a6de.6f07uacjtuaec.com>, mail_id:
> twvrh8bxFLNq, Hits: -, 8331 ms
Yeah I've gotten similar ones. This was a recent thread on
postfix-users as well.
I don't block zip, but I block windows executables within compressed
archives. amavisd-new picks up executables within encrypted zips as
well. I also block message/partial message/external-body RFC2046 MIME
types. I'm debating whether or not to ban zip - some users use .zip to
send large files.
I've noticed a lot of our business partners don't allow .zip either out
of extreme caution or because of primitive filters which can't inspect
zip content. What do you on these lists do?
---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
New York, NY 10038
646-312-6269
http://www.plusoneactive.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]