DoS, locale, spool file and unrar log noise

Jonas Bardino jones at ODENSE.KOLLEGIENET.DK
Mon Dec 8 19:54:39 GMT 2003 

Hi!

We're using the latest Debian Testing MailScanner package which is based on
a 4.24 version.
At the moment it uses SpamAssassin with Pyzor and Razor2 for spam and
ClamAV for virus scanning.
Exim 3 is used as MTA and almost everything seems to be working fine.
The average daily load is about 10000 mails, which does not overburden the
server in any way.
However, there's quite a bit of "noise" in the logs.
We have searched google and the archives for solutions, but so far
without any luck.

We keep getting a few DoS warnings every day about mails that appear to
be quite harmless:
Dec  7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out!
Dec  7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected!
(Btw, the clam developers may not like being called commercial :-)
Unfortunately the attachments aren't quarantined when that happens, so
it's a bit hard to reproduce the problem.

According to a google search the default setting related to DoS checks are:
max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5
We tried increasing the DoS prevention arguments to ClamAV by adding the
following line in /etc/MailScanner/wrapper/clamav-wrapper:
ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions"
But we still see the DoS warnings.
Did anyone find a good way around that, or is it necessary to
completely disable the limits?

Other occasional log entries include:
Dec  3 03:48:42 cindy MailScanner[4208]: Don't know what to do with line 'Content-type :text/html; charset:iso-8859-1' in header array!
Is that due to some kind of missing internationalization or a broken
client?

Dec  8 20:01:46 cindy exim[28643]: 2003-12-08 20:01:46 1ATQby-0007K8-00 Spool file 1ATQby-0007K8-00-D not found
Google gives a few hits but no answers (we're not running eximon as one
of the answers talks about).

Another issue is the use of unrar.
We used to get log entries like the following occasionally:
Dec  7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: RAR module failure.
Dec  7 19:06:59 cindy MailScanner[16206]: UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal
Dec  7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "UNRAR 2.71 freeware      Copyright (c) 1993-2000 Eugene Roshal". Please contact the authors!
Dec  7 19:06:59 cindy MailScanner[16206]: Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar
Dec  7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Extracting from /var/spool/MailScanner/incoming/16206/./1AT3Ib-0000ex-00/Renusse.part2.rar". Please contact the authors!
Dec  7 19:06:59 cindy MailScanner[16206]: Unknown method in Billede073.jpg
Dec  7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "Unknown method in Billede 073.jpg". Please contact the authors!
...repeated for every file in the archive...
Dec  7 19:06:59 cindy MailScanner[16206]: No files to extract
Dec  7 19:06:59 cindy MailScanner[16206]: ProcessClamAVOutput: unrecognised line "No files to extract". Please contact the authors!

The default unrar package in Debian testing is based on a version 2.71,
which, like clam itself, does not support 3.x rar archives.
That seems to be the reason for most of the above junk in the logs.
After installing a backported version 3.1.3 of unrar, only the module failure
notice from Clam's internal extractor as well as the "Copyright" and
"Extracting" notices remain.
Is that a Debian specific problem?

The internal RAR module failure can probably be removed by adding
"--disable-archive" to the clamav wrapper, but we're not sure if that's a
good idea, since it disables all unpacking features of Clam.

Some of the output from the separate unrar binary should probably be ignored in
SweepViruses.pm.
We've tried adding code for that and it appears to work in the installed
version.
Version 4.25-14 does not seem to change that part of the code,
so it is probably only a difference in line numbers.

Diffs against the Debian version 4.24.5-1 and the general version 4.25-14 are
attached.
Can someone please confirm if they do the job?

Thanks! ...and sorry if this mail is a too long and messy.

Kind regards, Jonas
..and the rest of the FKO Server admins
-------------- next part --------------
--- SweepViruses.pm     2003-12-08 15:25:42.000000000 +0100
+++ SweepViruses.pm.fix_debian_rar      2003-12-08 14:52:06.000000000 +0100
@@ -1835,6 +1835,10 @@
     return 0;
   }

+  # Ignore unrar freeware version info similar to:
+  # "UNRAR 3.10 freeware      Copyright (c) 1993-2002 Eugene Roshal"
+  return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/;
+
   # clamscan currently stops as soon as one virus is found
   # therefore there is little point saying which part
   # it's still a start mind!
@@ -1846,6 +1850,13 @@
     $clamav_archive = $1;
     return 0;
   }
+  # Catch unrar extracting info on the form:
+  # "Extracting from INCOMING_PATH/rarfail.rar"
+  if (/^Extracting from (.*)$/)
+  {
+    $clamav_archive = $1;
+    return 0;
+  }
   return 0 if /Empty file.$/;
   # Normally means you just havn't asked for it
   if (/: (\S+ module failure\.)/)
@@ -1854,6 +1865,9 @@
     return 0;
   }
   return 0 if /^  /;  # "  inflating", "  deflating.." from --unzip
+  # Ignore "Extracting  FILE COMPRESSIONRATE OK " lines from --unrar
+  return 0 if /^Extracting  .*OK $/;
+  return 0 if /^$/;  # blank lines from --unrar
   if ($clamav_archive && /^$clamav_archive:/)
   {
     $clamav_archive = "";
-------------- next part --------------
--- SweepViruses.pm     2003-12-01 17:37:12.000000000 +0100
+++ SweepViruses.pm.rar_fix     2003-12-08 15:27:32.000000000 +0100
@@ -2089,6 +2089,10 @@
   # therefore there is little point saying which part
   # it's still a start mind!

+  # Ignore unrar freeware version info similar to:
+  # "UNRAR 3.10 freeware      Copyright (c) 1993-2002 Eugene Roshal"
+  return 0 if $line =~ /^UNRAR \d+\.\d+ freeware/;
+
   # Only tested with --unzip since only windows boxes get viruses ;-)

   if (/^Archive:  (.*)$/)
@@ -2096,6 +2100,13 @@
     $clamav_archive = $1;
     return 0;
   }
+  # Catch unrar extracting info on the form:
+  # "Extracting from INCOMING_PATH/rarfail.rar"
+  if (/^Extracting from (.*)$/)
+  {
+    $clamav_archive = $1;
+    return 0;
+  }
   return 0 if /Empty file.$/;
   # Normally means you just havn't asked for it
   if (/: (\S+ module failure\.)/)
@@ -2104,6 +2115,9 @@
     return 0;
   }
   return 0 if /^  /;  # "  inflating", "  deflating.." from --unzip
+  # Ignore "Extracting  FILE COMPRESSIONRATE OK " lines from --unrar
+  return 0 if /^Extracting  .*OK $/;
+  return 0 if /^$/;  # blank lines from --unrar
   if ($clamav_archive && /^$clamav_archive:/)
   {
     $clamav_archive = "";

More information about the MailScanner mailing list