DOS attach with zip of death?

D.M.Chapman D.M.Chapman at UKC.AC.UK
Fri Nov 22 14:28:27 GMT 2002


On Fri, Nov 22, 2002 at 12:31:38PM +0000, Julian Field wrote:
> I've just tested this on RedHat 7.3 with the latest V3 code. I got this
> (using a batch of 3 messages, with the ZipOfDeath in the middle)
[snip]
> Nov 22 12:42:11 sailor mailscanner[3364]: Saved entire message to
> /var/spool/MailScanner/quarantine/20021122/gAMCVGnf003351
>
> which is what I would expect. Note that you should get 1 DOS report without
> the message id, followed by another DOS report with the message id, a few
> minutes later.

Thats what I got on the two older machines. The 3.22 box never reported
the message id (it had been stuck for a couple of hours by the time I
got to it).

Oh well, I guess it will be an upgrade to the latest v3 then.

One thing I notice from the above output is that you quarantine the
message. We have a policy of not doing this at all and deleting any
virus but on the two machines that coped with the ping of death it
seems to have deleted the attack email (at least, I can't find it).

Is there anyway to have it delete any virus but to keep the dos attack
message/attachment so that it "can be used in evidence"? :-)

Thanks,

Darren



More information about the MailScanner mailing list