Educause Security Discussion mailing list archives

Re: blocking .ZIP attachments

From: "Jeffrey I. Schiller" <jis () MIT EDU>
Date: Fri, 20 Aug 2004 21:37:16 -0400

We permit .ZIP files, however we have been quite successful in
blocking all variants of myDoom, Bagle, et. al. with a simple check of
the ZIP file. We do this with our own filter (written in Python and
integrated into the sendmail binary). The algorithm is:

* If the first component of the ZIP file is between 20k and 40k and is
  stored instead of deflated.

* The first component (undeflated) is between 20k and 40k and is
  deflated, but the compressed size is greater then the uncompressed
  size.

These checks are reasonably fast, as all the needed information is in
the ZIP file header, no deflating is required. The checks are also
agnostic vis a vis encryption, the header is in the clear even in
encrypted ZIP files.

If people are interested, I can provide more information on our
system.

                        -Jeff

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: _bin
Description:

Current thread:

Re: blocking .ZIP attachments, (continued)
- Re: blocking .ZIP attachments Tim Lane (Aug 19)
- Re: blocking .ZIP attachments John C Borne (Aug 19)
- Re: blocking .ZIP attachments Davis, Thomas R. (Aug 20)
- Re: blocking .ZIP attachments Theresa M Rowe (Aug 20)
- Re: blocking .ZIP attachments Jim Bollinger (Aug 20)
- Re: blocking .ZIP attachments F.L.Ferreri (Aug 20)
- Re: blocking .ZIP attachments Matthew Keller (Aug 20)
- Re: blocking .ZIP attachments Cal Frye (Aug 20)
- Re: blocking .ZIP attachments Jenny Gluck (Aug 20)
- Re: blocking .ZIP attachments Michael_Maloney (Aug 20)
- Re: blocking .ZIP attachments Jeffrey I. Schiller (Aug 20)
- Re: blocking .ZIP attachments Scott Barker (Aug 20)
- Re: blocking .ZIP attachments Lucas, Bryan (Aug 20)