42.zip handled differently

Ralf Hildebrandt via amavis-users amavis-users at amavis.org
Fri Aug 30 15:24:15 CEST 2013 

Sending 42.zip directly (as an attachment) using mutt yields these log
entries:

Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) Checking: epOf5UUVRRlo [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>
Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p003 1 Content-Type: multipart/mixed
Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p001 1/1 Content-Type: text/plain, size: 286 B, name: 
Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p002 1/2 Content-Type: application/zip, size: 42374 B, name: 42.zip
Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 785 (out of 4096) files, arglist size 3999
Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
Aug 30 15:15:21 mail2 amavis[20373]: (20373-05) running file(1) on 655 (out of 4096) files, arglist size 3943
Aug 30 15:15:47 mail2 amavis[20373]: (20373-05) Decoding of p651 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
Aug 30 15:15:50 mail2 amavis[20373]: (20373-05) NOTICE: Virus scanning skipped: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)NOTICE: HOLD reason: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)Inserting header field: X-Amavis-Hold: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.

Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) FWD from <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>,RET=FULL
BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as 3cRLm84d8CzBrfR
Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) Passed UNCHECKED {RelayedInternal}, LOCAL [141.42.206.36]:34055 [141.42.206.36]
<Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, Message-ID: <20130830131506.GC13449 at charite.de>, mail_id: epOf5UUVRRlo, Hits:
-4.495, size: 59440, queued_as: 3cRLm84d8CzBrfR, dkim_new=default:charite.de, 45416 ms

So, the mail is unpacked until the file number limit is reached, after
that it's being "Passed UNCHECKED". So far, so good.


But if I create an email from it using mpack ( using:
mpack -s 42.zip -o 42.zip.txt 42.zip )
and attach THAT in mutt -- (so basically creating a message/rfc822
attachment!) , I'm immediately getting:

Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) Checking: g0LIka1nMAeD [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>
Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p003 1 Content-Type: multipart/mixed
Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p001 1/1 Content-Type: text/plain, size: 277 B, name: 
Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p002 1/2 Content-Type: text/plain, size: 57784 B, name: 01_sample-42-mail-bomb.txt
Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) run_av (ClamAV-clamd): /var/amavis/amavis-20130830T150440-17731-M00LkpB7/parts INFECTED: Trojan.ArcBomb-1, Trojan.ArcBomb-1
Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) virus_scan: (Trojan.ArcBomb-1), detected by 1 scanners: ClamAV-clamd
Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) header_edits_for_quar: <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, No, score=x tag=x tag2=x kill=x tests=[] autolearn=unavailable
Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) Blocked INFECTED (Trojan.ArcBomb-1) {RejectedInternal,Quarantined}, LOCAL
[141.42.206.36]:33827 [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, Message-ID: <20130830130722.GB13449 at charite.de>, mail_id: g0LIka1nMAeD, Hits: -, size: 59938, 1091 ms

But why? The 42.zip "inside" is still the same!?

-- 
Ralf Hildebrandt                   Charite Universitätsmedizin Berlin
ralf.hildebrandt at charite.de        Campus Benjamin Franklin
http://www.charite.de              Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

More information about the amavis-users mailing list