DOS attach with zip of death?

Julian Field mailscanner at ecs.soton.ac.uk
Fri Nov 22 12:31:38 GMT 2002 

I've just tested this on RedHat 7.3 with the latest V3 code. I got this
(using a batch of 3 messages, with the ZipOfDeath in the middle)

Nov 22 12:31:55 sailor mailscanner[3364]: Startup: found 3 messages waiting
Nov 22 12:31:55 sailor mailscanner[3364]: Scanning 3 messages, 60217 bytes
Nov 22 12:37:00 sailor mailscanner[3364]: Commercial scanner sophos timed out!
Nov 22 12:37:00 sailor mailscanner[3364]: Denial Of Service attack detected!
Nov 22 12:42:05 sailor mailscanner[3364]: Commercial scanner sophos timed out!
Nov 22 12:42:05 sailor mailscanner[3364]: Denial Of Service attack is in
message gAMCVGnf003351
Nov 22 12:42:11 sailor mailscanner[3364]: Scanned 3 messages, 60217 bytes
in 616 seconds
Nov 22 12:42:11 sailor mailscanner[3364]: Saved entire message to
/var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351

which is what I would expect. Note that you should get 1 DOS report without
the message id, followed by another DOS report with the message id, a few
minutes later.

At 11:49 22/11/2002, you wrote:
>Yesterday we got hit with a "zip of death" denial of service attack on
>our mail hubs. Now I am not exactly up to speed on mailscanner yet and
>didn't build these machines but I'm just fishing for clues incase I've
>missed something obvious...
>
>We have 3 hubs. All running exim 3, two 2 are running MailScanner-3.15-3
>on Solaris 8 with one running MailScanner-3.22-14 on Solaris 9. I know
>both of these are out of date... AFAIK these are the versions on the
>machines. All three run the same version of Sophos - they were all
>upgraded to the latest release of sophos recently so are identical in
>that respect.
>
>The first two machines coped fine. They logged:
>
>   Commercial scanner sophos timed out!
>   Denial Of Service attack is in message 18Eq5q-0004o9-00
>
>And then carried on.
>
>The last machine (that is running the newer mailscanner release) failed.
>It logged:
>
>   Commercial scanner sophos timed out!
>   Denial Of Service attack detected!
>
>No message id was logged and it then died. No more scanning and it wouldn't
>restart until I had removed the message containing the zip from the mailq :-(
>Unfortunately this machine is our biggest so it is the one we can least
>afford to be down. Also, as exim carried on receiving emails we rapidly
>ended up with 7000 messages stuck on the machine awaiting virus checking...
>
>Have I missed something here? From the docs it seems like DOS attack
>protection was added in v2.50. Certainly it worked well on the two machines
>that are running the older version. Was this "missed out" of the
>3.22 release? Is this one machine misconfigured? Any clues?
>
>Will upgrading the 3.22 machine to 3.26 fix this? I guess I could
>downgrade to 3.15 but that doesn't sound like the correct answer!
>
>Clues? This is the first problem we have had with mailscanner since
>the person who set up the system left in june...I knew I should have
>made sure I was up to speed before now!
>
>Thanks,
>
>Darren

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list