DOS attach with zip of death?

D.M.Chapman D.M.Chapman at UKC.AC.UK
Fri Nov 22 11:49:31 GMT 2002

Yesterday we got hit with a "zip of death" denial of service attack on
our mail hubs. Now I am not exactly up to speed on mailscanner yet and
didn't build these machines but I'm just fishing for clues incase I've
missed something obvious...

We have 3 hubs. All running exim 3, two 2 are running MailScanner-3.15-3
on Solaris 8 with one running MailScanner-3.22-14 on Solaris 9. I know
both of these are out of date... AFAIK these are the versions on the
machines. All three run the same version of Sophos - they were all
upgraded to the latest release of sophos recently so are identical in
that respect.

The first two machines coped fine. They logged:

  Commercial scanner sophos timed out!
  Denial Of Service attack is in message 18Eq5q-0004o9-00

And then carried on.

The last machine (that is running the newer mailscanner release) failed.
It logged:

  Commercial scanner sophos timed out!
  Denial Of Service attack detected!

No message id was logged and it then died. No more scanning and it wouldn't
restart until I had removed the message containing the zip from the mailq :-(
Unfortunately this machine is our biggest so it is the one we can least
afford to be down. Also, as exim carried on receiving emails we rapidly
ended up with 7000 messages stuck on the machine awaiting virus checking...

Have I missed something here? From the docs it seems like DOS attack
protection was added in v2.50. Certainly it worked well on the two machines
that are running the older version. Was this "missed out" of the
3.22 release? Is this one machine misconfigured? Any clues?

Will upgrading the 3.22 machine to 3.26 fix this? I guess I could
downgrade to 3.15 but that doesn't sound like the correct answer!

Clues? This is the first problem we have had with mailscanner since
the person who set up the system left in june...I knew I should have
made sure I was up to speed before now!



More information about the MailScanner mailing list