> I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter. > If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process. The current snapshot release of amavisd *1 has three different mechanisms to escape such a mailbomb scenario: - a configurable compression rate like the one you describe above - a configurable limit for the total number of extracted files - a configurable limit for the nexting level of archives (any compression format that amavis supports) Of course, all this is no help with the scenario originally posted, one single, highly compressed file, and the code is commented accordingly. > I agree that "simple" unzip, bunzip2 programs that are used with mail scanners > could block your partition. It seems that it is better to check messages on the fly, in memory. [Sophos sweep does it this way, neatly.] But in general, you cannot rely on the virus scanner. Most command line scanners don't know MIME at all. Secondly, if you take e.g. the previously mentioned 42.zip and compress it in a format your virus scanner does not understand, even the most cunning .zip extraction routine won't help. The german computer magazin iX *2 was recently *3 testing commercial antivirus products for email environments with a permutation of MIME/base64/uu encoded files containing different types of archives, and many scanners just couldn't deal with it. Some don't know what to do with base64/uu, while others lack support for common compression formats. (Translated) Quote: "Out of 1245 infected test emails, $PRODUCT only allowed 463 through, not a bad rate." No comment. Unfortunatley, DoS attacks were only covered briefly, but other weaknesses were exposed (SMTP based mail gateway acting as open relay etc.) *1 http://www.amavis.org/contrib/ *2 http://www.heise.de/ix/ *3 iX 02/2002, not available online
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 23:08:11 PST