False DoS report

Kip Turk nospam at WCC.NET
Fri Mar 21 20:48:10 GMT 2003


I have some users sending around some proprietary files that get
extremely large when uncompressed.  The files are sent as filename.zip,
and the typical message size is around 500k.  From what I can discern,
tnef is attempting to extract these files to scan and is considering
them to be a DoS against the virus scanner.  The maximum-size for tnef
is already 100M and I hesitate to increase it to accomodate these few
users.  In fact, I hate to set the ruleset here as I'm not positive
these expanded files wouldn't actually be a DoS against my system,
however unintentional.

As a stop-gap method, I've stopped virus scanning completely for these
users.  Obviously, this isn't an optimal solution.  What I'd like to do
is skip tnef expansion or virus scanning for filename.zip files sent to
or from these users.

Unfortunately, it looks to me like this would require a nested ruleset.
Anyone have a clever solution I'm missing?  And is a nested ruleset
safe/functional?

--
Kip Turk, RHCE                                       spamdies at wcc.net
Systems Administrator/Killer of Spam/Writer of Code/Penguin Proponent
West Central Net - tel: 915.234.5678 / 800.695.9016 fax: 915.656.0071
-.-. --- -.. . / -- --- -. -.- . -.-- --..-- / .... .- -.-. -.- . .-.



More information about the MailScanner mailing list