<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-forward-container"><br>
<br>
<br>
<table class="moz-email-headers-table" cellpadding="0"
cellspacing="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>It seems that recent trojans come with a 'zip encoding' format that is
not detected as a compressed file by Amavis. Since it is not detected as
compressed , no depacking is done and not banning file. So executable
can trespass. The Unix "file" command states it as a "dat" file, so:
Sep 1 11:58:02 fwlinux2 amavis[17845]: (17845-18) check_for_banned
(p003,p002) multipart/mixed | application/zip,.dat,Ordine.doc.zip
Sep 1 11:58:02 fwlinux2 amavis[17845]: (17845-18) doing banned check
for <a class="moz-txt-link-abbreviated" href="mailto:edevena@gsy.it">edevena@gsy.it</a> on multipart/mixed | application/zip,.dat,Ordine.doc.zip
Sep 1 11:58:02 fwlinux2 amavis[17845]: (17845-18)
lookup_re(["multipart/mixed","application/zip",".dat","Ordine.doc.zip"]), no
matches
while if the same EXE is zipped by hand with (e.g.) Winrar
Sep 1 11:27:19 fwlinux2 amavis[17833]: (17833-05) check_for_banned
(p003,p002,p004) multipart/mixed | application/zip,.zip,Nuovo WinRAR ZIP
archive.zip | .exe,.exe-ms,Ordine.doc.pif
Sep 1 11:27:19 fwlinux2 amavis[17833]: (17833-05) doing banned check
for <a class="moz-txt-link-abbreviated" href="mailto:edevena@gsy.it">edevena@gsy.it</a> on multipart/mixed | application/zip,.zip,Nuovo
WinRAR ZIP archive.zip | .exe,.exe-ms,Ordine.doc.pif
Sep 1 11:27:19 fwlinux2 amavis[17833]: (17833-05)
lookup_re(["multipart/mixed","application/zip",".zip","Nuovo WinRAR ZIP
archive.zip",".exe",".exe-ms","Ordine.doc.pif"]) matches key
"(?-xism:^.(exe-ms|dll|pif)$)", result="1"
SO what is needed is that amavis "recognizes" the attachment as
"compressed file" not just by "file" command but even by extension
(.zip) or that "file" command recognizes that file as "zip"
Any ideas ?
</pre>
<br>
</div>
<br>
</body>
</html>