Zip Considered Harmful?

by Chris Adamson

As the editor of ONJava and, I've put together a collection of documents to help writers with their articles. These include two docs on style and process handed out by most O'Reilly Network editors, a further style guide unique to the Java sites, and an HTML template to get started with (we only accept HTML - no MS-Word). Of course, since these files need to stay together, I've zipped them up and send them out as

Well, at least I did. I've been having a problem with a lot of sites lately, GMail in particular. Apparently, they don't take .zips:

Hi. This is the qmail-send program at

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.


( failed after I sent the message.

Remote host said: 552 5.7.0 Illegal Attachment m35si1200988rnd

I suppose this comes from all the vile malware cargo that can come along for a ride inside a .zip, maybe enhanced by mailers (or clueless users) that automatically expand zips, but is banning .zip really the answer? This policy causes so much collateral damage to e-mail functionality, and the spammers and thieves will just move on to any of their other 100 dirty tricks anyways.

Besides, I fail to see how this makes anyone safer. One of my authors said his company has a standing "no zip" policy, so they just swap .piz files -- i.e., sender changes the extension from .zip to .piz, receiver changes it back. Easy workaround.

Another approach: just use any of the other, less-ubiquitous compression formats, like tar.gz, StuffIt, ARC, etc.

For the meantime, if you're trying to write for ONJava -- or just interested! -- I've attached the file to this blog: And at some point, we'll just link the files on the left column of the page.

But still, that doesn't help for swapping drafts back and forth. This seems like a problem that's only going to get worse.

Have you been inconvenienced by the ZIP lockout?


2005-07-07 23:57:34
Clear sign of an overly paranoid IT policy combined with poor quality anti-virus software.

Any decent AV package nowadays can scan the contents of zipfiles on the fly even in email attachments, so there's no reason to block them.

But I've seen worse. At one customer site they were blocking all email attachments. They also blocked all file types sent over HTTP (all other protocols were blocked) except HTML, HTML, TXT, and GIF (yes, they blocked on file extension, not mimetype).
To our (as external consultants) great joy that meant they even blocked their own intranet and internet sites from their own staff :)
2005-07-08 14:43:43
Well, the .piz thing, stupid as it may sound, actually wasn’t completely worthless: because if you receive a .piz file from someone, you can be very nearly certain that it’s genuinely from a coworker. Until using .piz as an extension for zipfiles catches on widely enough that virus authors pay attention, it is actually a sign that a human was involved in attaching that file.

But of course, that effect can and should be achieved in one of a variety of other ways which directly exploit the fact that a company’s local conventions are unknown to virus writers, instead of in such a roundabout way as banning .zip attachments which is only useful for its side effects.

2005-07-12 14:38:05
Yep, I've been smacked
Our work does not allow ZIP files. All we do to get around it is to rename the extension ("zi", "zit") and send them through with a note. But, it's a hassle.
2005-07-13 06:39:39
I always rename the files to .virus, just for irony's sake. (it always seems to work)
2005-12-09 06:48:09
Google, the next evil empire?
In an effort to make my life easier I'm trying to use GMail as a central point to consolodate my email. I redirect my work email account (among others) to my gmail account.

Gmail bounces emails every time one of my customers or coworkers sends an message with an attachment gmail doesn't like. It's confusing to them and it's gotten to the point where I'm looking for an alternative.

Is there any way we can convince Google that they've made a bad decision here? Or, is this the first step to Google becoming the next evil empire?