== It turns out that viruses do try to conceal their ZIP files

One of the interesting things that happens when you start to [[log
information about what types of files your users get in email
KnowingAttachmentTypes]] is that you get to discover certain sorts
of questionable things that people actually do ('people' in a loose
sense). Here's one interesting MIME part, extracted from our logs:

> attachment application/octet-stream; MIME file ext: .jpeg; zip exts: .js

The 'attachment' bit is the Content-Disposition and the nominal
MIME type comes from the Content-Type. The MIME filename (which
came either from Content-Type or Content-Disposition) had a _.jpeg_
extension; however, our logging program found that the attachment
actually was a ZIP file with a single _.js_ file inside it, not a
JPG image. [[Our anti-spam software CSLabSpamFilteringII]] later
identified it as malware.

(I didn't set out to write an attachment type logging program that
did content sniffing, but [[the Python _zipfile_ module has a very
convenient function for it
https://docs.python.org/2.7/library/zipfile.html#zipfile.is_zipfile]] and
it's much simpler to structure the code that way instead of trying
to maintain a list of file extensions and/or Content-Types that
correspond to ZIP files.)

I vaguely knew that any number of file formats were actually ZIP
files under the hood; there's _.jar_ files, for example, and a
number of the modern '* office' suites and programs use ZIP as their
underlying format. Our file type logging program has peered inside
any number of those sorts of attachments (as well as inside regular
_.zip_ attachments). I also knew that it was theoretically possible
for bad actors to try to smuggle ZIP files through as some other
file type. But I didn't expect to see it, especially so fast.

(To be fair, most malware does seem to stick to _.zip_ files,
not infrequently even with real MIME Content-Types. I suspect
that malware wants to make it easy for people to open up the
bad stuff that it sends them.)

PS: Hopefully no real content filtering software is fooled by this
sort of transparent ruse. It's not as if ZIP archives are hard to
detect. Sadly, that (some) malware does this kind of thing makes me
suspect that some important software actually is defeated by it.

PPS: All of the cases seem to be from the same malware run, based
on how they all happened today and have various other indicators
in common.