DoS, locale, spool file and unrar log noise

[Jonas Bardino]

* Jonas Bardino <jones at ODENSE.KOLLEGIENET.DK> [Dec 08. 2003 21:06]:
> Hi!

Hate to reply to my own mail, but we got a bit closer to the solution.

--- cut: server specs ---

> We keep getting a few DoS warnings every day about mails that appear to
> be quite harmless:
> Dec  7 14:55:10 cindy MailScanner[27894]: Commercial scanner clamav timed out!
> Dec  7 14:55:10 cindy MailScanner[27894]: Virus Scanning: Denial Of Service attack detected!
> (Btw, the clam developers may not like being called commercial :-)
> Unfortunately the attachments aren't quarantined when that happens, so
> it's a bit hard to reproduce the problem.

Further analysis indicates that the quarantined message did in fact
include a RAR file! It just didn't show up as a separate file
in the quarantine dir.

> According to a google search the default setting related to DoS checks are:
> max-files = 500, max-size = 10000 (=10 MB), max-recursion = 5
> We tried increasing the DoS prevention arguments to ClamAV by adding the
> following line in /etc/MailScanner/wrapper/clamav-wrapper:
> ExtraScanOptions="--max-files=10000 --max-space=100000 --max-recursion=20 $ExtraScanOptions"
> But we still see the DoS warnings.
> Did anyone find a good way around that, or is it necessary to
> completely disable the limits?

Manual runs of "clamscan --mbox message" goes on forever unless the
internal ClamAV unpacking functions are disabled.
Therefore they have now been disabled in MailScanner by adding:
ExtraScanOptions="--disable-archive $ExtraScanOptions"
to /etc/MailScanner/wrapper/clamav-wrapper.
So far it seems to have solved the "DoS warning" problem.
Indeed it also removed the "RAR module failure" log entries.

So that's one down, three to go.

I still hope that someone can help with those or point us in the right direction.

Thanks in advance!

Kind regards, Jonas