Re: [Exim] Encrypted Viruii

Pàgina inicial
Delete this message
Reply to this message
Autor: Chris Edwards
Data:  
A: Ron McKeating
CC: Exim-Users (E-mail)
Assumpte: Re: [Exim] Encrypted Viruii
On Wed, 3 Mar 2004, Ron McKeating wrote:

| What I want to do is have a simple way of detecting and failing any
| password encrypted zip files.


Could put this in your DATA ACL (sorry for long line):

  deny    message = Encrypted zip attachments are not allowed
    condition = ${if match{$message_body:}{  UEsDB....[Q-Za-fw-z0-9\+/]}{yes}{no}}


This should recognise encrypted zip attachments from the Base64 encoding.
Remember, the two spaces match the blankline+newline.

My derivation is below. I hope its right...

Cheers

Chris


----------------------------------------------------------------------------

http://www.idcnet.us/zip/zip-format.txt

- The zip header has first four bytes hex = 50 4b 03 04

- The "encrypted" flag is first bit of the 7th byte

So, doing the maths:

Hex     50       4b       03       04       X        X        bit0set  X


Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx

6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx

Dec:    20     4      44     3      1      0-15   .      .      .      16-31, 48-63


Base64  U      E      s      D      B      A-P    .      .      .      Q-Za-fw-z0-9+/



Regexp: UEsDB....[Q-Za-fw-z0-9\+/]



--
Chris Edwards, Glasgow University Computing Service