[Fwd: On the ultimate futility of server-based mail scanning]

Julian Field jkf at ecs.soton.ac.uk
Sun Mar 24 13:08:30 GMT 2002

At 09:09 10/03/2002, you wrote:
>Several postings on Bugtraq recently talked about DoS attacks against
>server-based mail-scanners.  Compress four gigabytes of zeros and
>debilitate mail scanners which uncompress .gz files, for example.
>Several mail scanners try to be clever and examine .zip files, .tar.gz
>files, .arc files, etc. to look inside for viruses.
>This is ultimately futile.
>I gave one scenario:
>(cat small_x86_jmp_code; \
>  dd if=/dev/zero bs=1k count=400k; \
>  cat virus_payload) | gzip > virus.attach.gz
>This DoS's virus-scanners which do not limit scanning-size, and sneaks past
>those which do.

I don't understand why this is a problem. And anyway, MailScanner detects
DoS attacks on the basis of the time taken to process the gz file, not the
size of the expanded archive. So it should still get caught.
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list