Please note I am not a good programmer here but here goes:
I am wondering why, for those who HAVE to auto unpack, a script cannot be written which, upon receipt of an archive of any sort, inspects it for, as an example, 100K of the same character repeated (keeping in mind that the NULL character, chr$(7) etc have all been used for compressed bombs) and if there *IS* such a file, move the file to some safe location for later manual inspection and if not, allow automatic unpacking etc.
Surely this would be a 5 minute script for SOMEONE who knows how to do it well? Even if it wont work on receipt of compressed archives, it could be a timed even to happen, say 10 minutes before the actual auto unpacking is to occur if that is done at a particular time.
I used to be a "dabbler" programmer on a machine back in the 80s where we used to have this same sort of problem and because the services provided could not be interrupted, the above was how I got around it.
As Ralf Hildebrandt and another guy told me, using AV scanners with amavisd-new framework and let amavisd-new decompress the files before triggering the AV scanners, this would be a solution.
existing amavisd-new options:
# Maximum recursion level for extraction/decoding (0 or undef disables limit)
$MAXLEVELS = 14; # (default is undef, no limit)
# Maximum number of extracted files (0 or undef disables the limit) $MAXFILES = 1500; # (default is undef, no limit)
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced)
$MIN_EXPANSION_FACTOR = 5; # times original mail size (must be specified)
$MAX_EXPANSION_FACTOR = 500; # times original mail size (must be specified)
Peter -- Dr. Peter Bieringer Phone: +49-8102-895190 AERAsec Network Services and Security GmbH Fax: +49-8102-895199 Wagenberger Stra�e 1 Mobile: +49-174-9015046 D-85662 Hohenbrunn E-Mail: [EMAIL PROTECTED] Germany Internet: http://www.aerasec.de
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
