* Chris Meadors <exim@???> [20041115 19:54]: wrote:
> On Sun, 2004-11-14 at 17:50 +0100, patrick coeman wrote:
>
> > And about the attachment: Just make a few 100MB or GB file with only the
> > letter a in it and let some zip program use the max compression. Indeed
> > you receive a very small attachment. We played with that in pre-internet
> > times (Fidonet) to test mailsoftware.
>
> And because these zip bombs have existed since pre-Internet days, every
> scanner I have ever seen has the ability to look at the compress vs.
> uncompressed size of the file inside an archive and refuse to unpack
> something that will blow up many times its compressed size.
>
> ClamAV is included in the list of programs that have protection from
> this type of attack. But there are settings to control what compression
> ratio is allowed to be expanded. It was theorized the original poster
> had changed these settings and exposed themselves to the problem. I
> don't think the original poster wrote back, so I assume that theory was
> correct.
Just for the record, I did NOt change the settings that would expose me
to such a bomb in the configuration of the virus scanner. They are
pretty much the defaults.
> In other words this attack will not effect the majority of servers out
> there.
Hmm, I am not sure that is true. I will take this to the clamav-users
list though, if I don't find a solution myself.
> Although there was recently a bug found that if the header of a zip file
> was altered to report the size of a file to be 0 bytes many scanners
> would skip over the file assuming it to be safe. I wonder if the same
> trick could be played to make the compression ratio look lower than it
> actually is...
In my case, the mail was coming in as a NDR (Non Delivery Report) from
addr.com (several of their MXes) to some local user on my systems. I
would see the mail in the queue on of of my MXes and it was 1.9MB.
The configuration on this MX (for the virus scanner) is the same as the
one on the server that does the local deliveries. The only difference
between the two servers is the version of Clamav. Since scanning happens
on both servers, I still don't see how the same mail was not bombing the
secondary MX during the scanning, and not doing the same on the box that
does the deliveries.
The clue would like anywhere, but maybe in Clamav!
Topic closed here!!
cheers
- wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
<wash at wananchi dot com> . 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
--from a /. post
