"Virus Scanners=" --> DOS-attack

shrek-m at gmx.de shrek-m at GMX.DE
Fri Sep 5 10:01:50 IST 2003 

hi,


with the wrong setting  "Virus Scanners="
instead "Virus Scanners = none"
mailscanner begins a DOS-attack

with the correct seeting eg. "none" or "sophos"
mailscanner is working correct.



is this reproducable on other sytems?




$ rpm -q mailscanner
mailscanner-4.22-5
$ cat /etc/redhat-release
Red Hat Linux release 8.0 (Psyche)


- check your av-wrapper, eg.

$ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar
 >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar
1 file swept in 0 seconds.
1 virus was discovered.
1 file out of 1 was infected.


- set "Virus Scanners ="

$grep "Virus Scanners" /etc/MailScanner/MailScanner.conf
#       then set "Virus Scanners = none" instead.
# Virus Scanners = sophos f-prot mcafee
##Virus Scanners = none
##Virus Scanners = sophos
Virus Scanners =



- # service MailScanner restart
- send *1* infected email (or spam?) for testing to an local user-account
- the hdd begins immediately a never ending work
- wait a short time
- # service MailScanner stop
- the system calmes down
- check your mailbox

<snip-mbox>

Message 1842:
 From postmaster at xp1800.localdomain  Fri Sep  5 10:05:02 2003
Date: Fri, 5 Sep 2003 10:05:02 +0200
From: "MailScanner" <postmaster at xp1800.localdomain>
To: postmaster at xp1800.localdomain
Subject: {Virus?} Warning: E-mail viruses detected
X-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be infected

Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt"
Content-Disposition: inline; filename="VirusWarning.txt"
Content-Transfer-Encoding: quoted-printable

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "the entire message"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Fri Sep  5 10:05:02 2003 the virus scanner said:
   Denial of Service attack in message!

Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran=
tine/20030905 (message h85852wQ002545).
--=20
Postmaster
Mailscanner thanks transtec Computers for their support

</snip-mbox>


--
shrek-m

More information about the MailScanner mailing list