Sending 42.zip directly (as an attachment) using mutt yields these log entries:
Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) Checking: epOf5UUVRRlo [141.42.206.36] <[email protected]> -> <[email protected]> Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p003 1 Content-Type: multipart/mixed Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p001 1/1 Content-Type: text/plain, size: 286 B, name: Aug 30 15:15:07 mail2 amavis[20373]: (20373-05) p002 1/2 Content-Type: application/zip, size: 42374 B, name: 42.zip Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 785 (out of 4096) files, arglist size 3999 Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997 Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997 Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997 Aug 30 15:15:20 mail2 amavis[20373]: (20373-05) running file(1) on 664 (out of 4096) files, arglist size 3997 Aug 30 15:15:21 mail2 amavis[20373]: (20373-05) running file(1) on 655 (out of 4096) files, arglist size 3943 Aug 30 15:15:47 mail2 amavis[20373]: (20373-05) Decoding of p651 (Zip archive data, at least v2.0 to extract) failed, leaving it unpacked: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862. Aug 30 15:15:50 mail2 amavis[20373]: (20373-05) NOTICE: Virus scanning skipped: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862. Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)NOTICE: HOLD reason: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862. Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) (!)Inserting header field: X-Amavis-Hold: do_7zip: Maximum number of files (6000) exceeded at /usr/sbin/amavisd line 8862. Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) FWD from <[email protected]> -> <[email protected]>,RET=FULL BODY=8BITMIME 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as 3cRLm84d8CzBrfR Aug 30 15:15:52 mail2 amavis[20373]: (20373-05) Passed UNCHECKED {RelayedInternal}, LOCAL [141.42.206.36]:34055 [141.42.206.36] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: epOf5UUVRRlo, Hits: -4.495, size: 59440, queued_as: 3cRLm84d8CzBrfR, dkim_new=default:charite.de, 45416 ms So, the mail is unpacked until the file number limit is reached, after that it's being "Passed UNCHECKED". So far, so good. But if I create an email from it using mpack ( using: mpack -s 42.zip -o 42.zip.txt 42.zip ) and attach THAT in mutt -- (so basically creating a message/rfc822 attachment!) , I'm immediately getting: Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) Checking: g0LIka1nMAeD [141.42.206.36] <[email protected]> -> <[email protected]> Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p003 1 Content-Type: multipart/mixed Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p001 1/1 Content-Type: text/plain, size: 277 B, name: Aug 30 15:07:22 mail2 amavis[17731]: (17731-08) p002 1/2 Content-Type: text/plain, size: 57784 B, name: 01_sample-42-mail-bomb.txt Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) run_av (ClamAV-clamd): /var/amavis/amavis-20130830T150440-17731-M00LkpB7/parts INFECTED: Trojan.ArcBomb-1, Trojan.ArcBomb-1 Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) virus_scan: (Trojan.ArcBomb-1), detected by 1 scanners: ClamAV-clamd Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) header_edits_for_quar: <[email protected]> -> <[email protected]>, No, score=x tag=x tag2=x kill=x tests=[] autolearn=unavailable Aug 30 15:07:23 mail2 amavis[17731]: (17731-08) Blocked INFECTED (Trojan.ArcBomb-1) {RejectedInternal,Quarantined}, LOCAL [141.42.206.36]:33827 [141.42.206.36] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: g0LIka1nMAeD, Hits: -, size: 59938, 1091 ms But why? The 42.zip "inside" is still the same!? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin [email protected] Campus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
