42.zip handled differently

Patrik Båt via amavis-users amavis-users at amavis.org
Fri Aug 30 16:49:16 CEST 2013 

Clamav detects that it is a ArcBomb, aka alot of packed file in a 
packed file. :)

first time, amavis hit a limit
second time, clamav found a "trojan".

working as intended! (IMHO)

On fre 30 aug 2013 15:24:15, Ralf Hildebrandt via amavis-users wrote:
> Sending 42.zip directly (as an attachment) using mutt yields these log
> entries:
>
> Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) Checking: epOf5UUVRRlo [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>
> Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p003 1 Content-Type: multipart/mixed
> Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p001 1/1 Content-Type: text/plain, size: 286 B, name:
> Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p002 1/2 Content-Type: application/zip, size: 42374 B, name: 42.zip
> Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 785 (out of 4096) files, arglist size 3999
> Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
> Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
> Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
> Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997
> Aug 30 15:15:21 mail2 amavis[20373]: (20373-05) running file(1) on 655 (out of 4096) files, arglist size 3943
> Aug 30 15:15:47 mail2 amavis[20373]: (20373-05) Decoding of p651 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
> Aug 30 15:15:50 mail2 amavis[20373]: (20373-05) NOTICE: Virus scanning skipped: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
> Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)NOTICE: HOLD reason: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
> Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)Inserting header field: X-Amavis-Hold: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862.
>
> Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) FWD from <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>,RET=FULL
> BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as 3cRLm84d8CzBrfR
> Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) Passed UNCHECKED {RelayedInternal}, LOCAL [141.42.206.36]:34055 [141.42.206.36]
> <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, Message-ID: <20130830131506.GC13449 at charite.de>, mail_id: epOf5UUVRRlo, Hits:
> -4.495, size: 59440, queued_as: 3cRLm84d8CzBrfR, dkim_new=default:charite.de, 45416 ms
>
> So, the mail is unpacked until the file number limit is reached, after
> that it's being "Passed UNCHECKED". So far, so good.
>
>
> But if I create an email from it using mpack ( using:
> mpack -s 42.zip -o 42.zip.txt 42.zip )
> and attach THAT in mutt -- (so basically creating a message/rfc822
> attachment!) , I'm immediately getting:
>
> Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) Checking: g0LIka1nMAeD [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>
> Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p003 1 Content-Type: multipart/mixed
> Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p001 1/1 Content-Type: text/plain, size: 277 B, name:
> Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p002 1/2 Content-Type: text/plain, size: 57784 B, name: 01_sample-42-mail-bomb.txt
> Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) run_av (ClamAV-clamd): /var/amavis/amavis-20130830T150440-17731-M00LkpB7/parts INFECTED: Trojan.ArcBomb-1, Trojan.ArcBomb-1
> Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) virus_scan: (Trojan.ArcBomb-1), detected by 1 scanners: ClamAV-clamd
> Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) header_edits_for_quar: <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, No, score=x tag=x tag2=x kill=x tests=[] autolearn=unavailable
> Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) Blocked INFECTED (Trojan.ArcBomb-1) {RejectedInternal,Quarantined}, LOCAL
> [141.42.206.36]:33827 [141.42.206.36] <Ralf.Hildebrandt at charite.de> -> <hildeb at charite.de>, Message-ID: <20130830130722.GB13449 at charite.de>, mail_id: g0LIka1nMAeD, Hits: -, size: 59938, 1091 ms
>
> But why? The 42.zip "inside" is still the same!?
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130830/bfda5c55/attachment.sig>

More information about the amavis-users mailing list