AZPR can do several million password attempts against a zip file per second on oldish hardware. Assuming there's some way of scripting this, throwing every collection of non-whitespace characters in the message at the zipfile ought not to be too draining. You can even manage various alterations such as stripping characters of the beginning and end (to catch quoted passwords and passwords followed by punctuation). If the passwords are short (4-5 characters) then they can be brute forced in seconds.
Alternatively, why bother. There's probably enough information in the message body/headers to decide it's viral. Possibly just the fact that it's a password protected zip - would you ever expect to receive one of these normally?
Possibly just the fact that it's a password protected zip - would you ever expect to receive one of these normally?
Well, possibly I would, if someone had a genuine need to send me a Windows executable and couldn't get it through my mail filters any other way! I usually recommend that they put any large attachments on a website and send me the URL rather than the file, but there's always someone for whom that's terribly inconvenient...
I have a particularly nasty memory of the guy who mailed me a copy of PuTTY and said "I think this might be infected with a virus, can you shed any light?", and my automatic virus rejector bounced it straight back to him with "554 We won't let this mail in because we aren't confident it isn't a virus". The worst of it was, when I saw that one in the logs I went and extracted the binary and checked it carefully, and it turned out to be a perfectly pristine copy of 0.51; but the bounce he got probably didn't boost his confidence in it :-/
(Yeah, I know he didn't read our Feedback page and therefore it's His Own Fault, but even so I don't have to like that sort of result.)
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Alternatively, why bother. There's probably enough information in the message body/headers to decide it's viral. Possibly just the fact that it's a password protected zip - would you ever expect to receive one of these normally?
Well, possibly I would, if someone had a genuine need to send me a Windows executable and couldn't get it through my mail filters any other way! I usually recommend that they put any large attachments on a website and send me the URL rather than the file, but there's always someone for whom that's terribly inconvenient...
I have a particularly nasty memory of the guy who mailed me a copy of PuTTY and said "I think this might be infected with a virus, can you shed any light?", and my automatic virus rejector bounced it straight back to him with "554 We won't let this mail in because we aren't confident it isn't a virus". The worst of it was, when I saw that one in the logs I went and extracted the binary and checked it carefully, and it turned out to be a perfectly pristine copy of 0.51; but the bounce he got probably didn't boost his confidence in it :-/
(Yeah, I know he didn't read our Feedback page and therefore it's His Own Fault, but even so I don't have to like that sort of result.)