Bogus "denial of service" messages, and postdrop not working

Julian Field mailscanner at ecs.soton.ac.uk
Mon Dec 15 15:08:38 GMT 2003 

At 14:28 15/12/2003, you wrote:
>Hi,
>
>I'm encountering (surprise ! :-) some new problems. Some legitimate
>messages get their attachments scrubbed by MS with the mention that they
>contain a « denial of service attack ». I looked at the documentation,
>the FAQ, the mailing-list archives (even grepped the source code files
>for the 'DOSAttack' string), to no avail. I can't seem to find what
>triggers those denial of service alerts, and how to deactivate them...

The DOS attack detection happens when either ClamAV thinks the zip file 
expands too big, or else the virus scanner (whichever one it is) never 
returns within the timeout period it is given to run in (usually 5 or 10 
minutes).


>Another problem is that I've thus far failed to reinject a message into
>the queue by conventional means. I quarantine messages with :
>
>Quarantine Infections = yes
>Quarantine Whole Message = yes
>Quarantine Whole Messages As Queue Files = yes
>
>When I use postdrop on a quarantined message, I get a cryptic error
>message :
>
>[root at sceuzi][/var/spool/MailScanner/quarantine/20031213/3CC271B8114]# 
>postdrop < 3CC271B8114
>queue_idEB92220C06Bpostdrop: fatal: uid=0: unexpected record type: 67
>
>The only clue I've been able to find is a message where this behaviour
>was attributed to a version discrepancy between postfix and the postdrop
>command. Of course, I double-checked all my commands come from the same
>version, thus I'm in the dark. A postcat on the same file works fine, so
>I've for the moment settled on a script which parses the postcat output
>and reinjects it on the internal Postfix instance, but it's a truly
>lousy solution. Can someone point me to where I should look to get rid
>of this problem ?
>
>BTW, my MailScanner.conf (without comments) is at
><http://cagliostro.monaco.net/tmp/ms/3/MailScanner.conf>. I don't know
>if it can help in understanding what happens, but then, better safe than
>sorry...
>
>Greets,
>--
>[ Jacques Caruso <jacques at monaco.net>                  Développeur PHP ]
>[ Monaco Internet                           http://monaco-internet.mc/ ]
>[ Tél : (+377) 93 10 00 43                        Clé PGP : 0x41F5C63D ]
>[ -*-  Quand le doigt montre la lune, l'imbécile regarde le doigt  -*- ]

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list