[Esd-l] ZIP attachments

John D. Hardin jhardin at impsec.org
Thu Jul 29 17:11:57 PDT 2004 

On Thu, 29 Jul 2004, Scott Taylor wrote:

> Sorry John, et al,
> 
> I'm sure we go through this every time there is an upgrade.  
> There is no need for any of my users to receive zip files.  
> Putting .zip "*.zip" in the poison list doesn't stop them.  Why
> not?  To me, it would seem the logical file to put file names,
> extenions, snd/or regex's of file names you don't want to receive.  
> What else is the poison list good for?

For historical design reasons, the poison and strip lists only apply
to extensions that appear in the mangled-extensions list.

There are exceptions: Office document file extensions and .ZIP are
"special" and can be poisoned or stripped whether or not they appear
in the mangle list. This has yet to be made a general rule, though.

Therefore, you should be able to put "*.zip" in your poisoned-files
list and all messages with .zip attachments *should* be poisoned. I
don't know why it's not working for you.

Can you set DEBUG=Y and send a test message through? You should see
something like this in your log file (per the contents of *your*
poison list, of course):

 Checking ZIP archive "test.zip" for poisoning.
  Checking against ".*\.exe(\?=)?$"
  Checking against ".*\.asd(\?=)?$"
  Checking against ".*\.bat(\?=)?$"
  Checking against ".*\.chm(\?=)?$"
  Checking against ".*\.com(\?=)?$"
  Checking against ".*\.cil(\?=)?$"
  Checking against ".*\.dll(\?=)?$"
  Checking against ".*\.hlp(\?=)?$"
  Checking against ".*\.hta(\?=)?$"
  Checking against ".*\.js(\?=)?$"
  Checking against ".*\.lnk(\?=)?$"
  Checking against ".*\.nws(\?=)?$"
  Checking against ".*\.ocx(\?=)?$"
  Checking against ".*\.pif(\?=)?$"
  Checking against ".*\.reg(\?=)?$"
  Checking against ".*\.scr(\?=)?$"
  Checking against ".*\.sh[bs](\?=)?$"
  Checking against ".*\.vb(\?=)?$"
  Checking against ".*\.vb[se](\?=)?$"
  Checking against ".*\.ws[cfh](\?=)?$"
  Checking against ".*\.[a-z][a-z]\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against ".*\.[a-z][a-z]\s+\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against
".*\.[a-z][a-z][a-z0-9]\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against
".*\.[a-z][a-z][a-z0-9]\s+\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against ".*\s+\.exe(\?=)?$"
  Checking against "[0-9]+-i386-update\.exe(\?=)?$"
  Checking against "ie[0-9]+\.exe(\?=)?$"
  Checking against "..*romeo\.exe(\?=)?$"
  Checking against "test\.zip(\?=)?$"
 Trapped poisoned ZIP archive "test.zip".


--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires

More information about the esd-l mailing list