On Monday 01 March 2004 19:25, Jon R. Kibler wrote: > file has a different password -- thus each zip file would have > a different signature.
Thats true, but it has some defects that makes detection easy: a) last line of mail ends in "password : xxxxx" b) the zip file contains only one file which ends in ".exe" c) the file is only "stored", not "compressed". its unusual since any manually generated file is usually also compressed. d) the filesize and the CRC-32 of the file can be retrieved without extracting, and they allow identifying the content without knowing the password. as you can see you can detect it with almost no false-positives. Dirk _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
