[Fwd: On the ultimate futility of server-based mail scanning]
Julian Field
jkf at ecs.soton.ac.uk
Sun Mar 24 13:08:30 GMT 2002
At 09:09 10/03/2002, you wrote:
>Several postings on Bugtraq recently talked about DoS attacks against
>server-based mail-scanners. Compress four gigabytes of zeros and
>debilitate mail scanners which uncompress .gz files, for example.
>
>Several mail scanners try to be clever and examine .zip files, .tar.gz
>files, .arc files, etc. to look inside for viruses.
>
>This is ultimately futile.
>
>I gave one scenario:
>
>(cat small_x86_jmp_code; \
> dd if=/dev/zero bs=1k count=400k; \
> cat virus_payload) | gzip > virus.attach.gz
>
>This DoS's virus-scanners which do not limit scanning-size, and sneaks past
>those which do.
I don't understand why this is a problem. And anyway, MailScanner detects
DoS attacks on the basis of the time taken to process the gz file, not the
size of the expanded archive. So it should still get caught.
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list