I think the vulnerability checks are catching 0/1 length files. I haven't seen one lately. That said, your e-mail numbers well surpass mine, so I might just be luckier.
>From my virus logs: 07/04/2004 08:13:21 Q024e0094005eb63a MIME file: message.zip [base64; Length=0 Checksum=1441] 07/04/2004 08:13:21 Q024e0094005eb63a Invalid ZIP Vulnerability 07/04/2004 08:13:21 Q024e0094005eb63a Found a bogus .zip file 07/04/2004 08:13:21 Q024e0094005eb63a File(s) are INFECTED [[Invalid ZIP Vulnerability]: 0] 07/16/2004 22:06:41 Q97bd04d80048162e MIME file: Document.scr [base64; Length=0 Checksum=2668] 07/16/2004 22:06:41 Q97bd04d80048162e Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Info.scr [base64; Length=1 Checksum=2753] 07/06/2004 16:56:14 Q1ffd0209020ca170 Invalid SCR Vulnerability 07/06/2004 16:56:14 Q1ffd0209020ca170 Banning file with scr extension [application/octet-stream]. 07/06/2004 16:56:14 Q1ffd0209020ca170 MIME file: Sources.zip [base64; Length=1 Checksum=2753] 07/06/2004 16:56:15 Q1ffd0209020ca170 Invalid ZIP Vulnerability 07/06/2004 16:56:15 Q1ffd0209020ca170 Found a bogus .zip file <<< [EMAIL PROTECTED] 7/19 4:58p >>> I thought I would share this one with the list since it's been a while and the problem that this targets is rather problematic in nature, though not very threatening. This filter targets messages sent by virus infected computers that are missing the attachment but define the file. This results in a zero-byte attachment and it will always get past Declude Virus, even if it has one of the commonly banned extensions associated with viruses (unless this has been addressed in a more recent interim that I'm not aware of ). This filter uses the Size.vbs external test (which is also shared in the beta section of the site) to determine if the message is of a certain size. In the filter that I have provided, it is looking for a entry that matches "SIZE-XS" which on my system is set to 2K or smaller. If if finds such a message, it then checks to see if there are indications of an attachment and if so, is there an indication of BASE64 being properly encoded (always ends with two equal signs then a double line break), and if not, then it checks for an indication of one of 9 file extensions and scores them. The logic here is that a message containing an attachment of one of these types really shouldn't be smaller than 2K, and even if they were they should be properly encoded, but a corrupted virus that sends a zero-byte attachment should fail. Messages with very small attachments should not trip this test, however it has only been designed to work properly with BASE64 attachments which are the obvious mechanism for almost every mass mailing virus out there because of broad support. I haven't documented the file, so here's the configuration that I use for Size.vbs on my system as it corresponds to the test: SIZE-XXS external 11 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 2 0 SIZE-XS external 12 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 0 0 SIZE-S external 13 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 0 0 SIZE-M external 14 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 0 0 SIZE-L external 15 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 0 0 SIZE-XL external 16 "CScript C:\IMail\Declude\Filters\Size.vbs //B //NoLogo //T:2 .5,2,30,100,300,1000 %WEIGHT% 28" 0 0 SIZE-XXL external 17 "CScrip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
