michael at ERG.ABDN.AC.UK
Tue Oct 2 16:54:48 IST 2001
On testing an authentic ZipOfDeath file, it seems that the logs showed the
Oct 2 16:43:47 diesel mailscanner: Commercial scanner timed out!
Oct 2 16:43:49 diesel mailscanner: Denial Of Service attack
Which is what you've been saying, but this only seems to work for this
specific case. What criteria are you using to determine whether its a Denial
of Service attack or not. Since my tiny zip file that expands to a HUGE file
is the same, just another way of doing it. Where as my test file, only
showed the first msg and then blindly carried on till the machine swap
filled up and the machine went belly up.
I thought the timeouts were generic and meant to cap the sweep process from
going on for too long on the same file.
> At 16:27 02/10/2001, you wrote:
>> root 22786 22768 66 15:46:26 ? 23:49 /opt/sophos/bin/sweep
>> -p=/tmp/outputlog -sc -f -all -rec -ss -archive -loopback
>> Total CPU time is 23:49
>> This was a 800k file that expands out to 800MB, my tmp space on the mail
>> server is only 600MB. So it fills it up and then sits and does nothing...the
>> tmp space sits at 99%
>> The total cpu time above, seems well in excess of the timeout settings in
>> the mailscanner.conf file?
>> Any suggestions?
> Not immediately, no. I tested with a genuine Zip Of Death file, not just a
> large zip file, so I'm not sure what happens when it just runs out of
> space. It should still die though. It gets killed -9 after being given 10
> seconds to respond to a normal kill.
> Try it with a real Zip Of Death and let me know what happens...
>>> At 23:36 01/10/2001, you wrote:
>>>> Just ran a test of the new timeouts, a 600k file that expands out into
>> a few
>>>> hundred megabytes. The "Commerical scanner timed out!" message appeared in
>>>> the syslog after 5mins, although the sweep process is still thrashing away
>>>> on the same message? (its been going now for 26mins on the one file,
>> and the
>>>> mail queue is at a complete stand still and growing by the second with
>>>> mail hotfooting it into the queue).
>>> I have just tried this on a Solaris 8 system and the timeouts worked
>>> nicely. It did scan the same thing 3 times (once as part of batch scan,
>>> next as part of individual message scan, third time to attempt
>>> disinfection), but that's as expected.
>>> If you do:
>>> while :
>>> ps -fe | grep sweep
>>> and watch the total CPU time of the sweep processes, do they ever exceed
>>> the value set in the timeout setting in the mailscanner.conf file?
>>> Julian Field Teaching Systems Manager
>>> jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
>>> Tel. 023 8059 2817 University of Southampton
>>> Southampton SO17 1BJ
> Julian Field Teaching Systems Manager
> jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
> Tel. 023 8059 2817 University of Southampton
> Southampton SO17 1BJ
More information about the MailScanner