"Virus Scanners=" --> DOS-attack

Fri Sep 5 10:16:44 IST 2003

It's hardly a DoS attack, it's a case of me not checking the configuration
well enough. DoS attacks are generally attacks coming from outside. There
are a million packages that don't work well if you configure them wrong.
Setting up software wrong is not an "attack" of any sort, it's a screw-up
by the admin.

Anyway, the patch to add more checking is this:

--- SweepViruses.pm.old    2003-09-04 15:50:05.000000000 +0100
+++ SweepViruses.pm     2003-09-05 10:16:54.000000000 +0100
@@ -573,6 +571,7 @@

    $scannerlist = MailScanner::Config::Value('virusscanners');
    $scannerlist =~ tr/,//d;
+  $scannerlist = "none" unless $scannerlist; # Catch empty setting
    @scanners = split(" ", $scannerlist);
    $counter = 0;

At 10:01 05/09/2003, you wrote:
>hi,
>
>
>with the wrong setting  "Virus Scanners="
>instead "Virus Scanners = none"
>mailscanner begins a DOS-attack

No, it stops working because you broke it.


>with the correct seeting eg. "none" or "sophos"
>mailscanner is working correct.
>
>
>
>is this reproducable on other sytems?
>
>
>
>
>$ rpm -q mailscanner
>mailscanner-4.22-5
>$ cat /etc/redhat-release
>Red Hat Linux release 8.0 (Psyche)
>
>
>- check your av-wrapper, eg.
>
>$ /usr/lib/MailScanner/sophos-wrapper /data4/doku/viren/eicar
> >>> Virus 'EICAR-AV-Test' found in file /data4/doku/viren/eicar
>1 file swept in 0 seconds.
>1 virus was discovered.
>1 file out of 1 was infected.
>
>
>- set "Virus Scanners ="
>
>$grep "Virus Scanners" /etc/MailScanner/MailScanner.conf
>#       then set "Virus Scanners = none" instead.
># Virus Scanners = sophos f-prot mcafee
>##Virus Scanners = none
>##Virus Scanners = sophos
>Virus Scanners =
>
>
>
>- # service MailScanner restart
>- send *1* infected email (or spam?) for testing to an local user-account
>- the hdd begins immediately a never ending work
>- wait a short time
>- # service MailScanner stop
>- the system calmes down
>- check your mailbox
>
><snip-mbox>
>
>Message 1842:
> From postmaster at xp1800.localdomain  Fri Sep  5 10:05:02 2003
>Date: Fri, 5 Sep 2003 10:05:02 +0200
>From: "MailScanner" <postmaster at xp1800.localdomain>
>To: postmaster at xp1800.localdomain
>Subject: {Virus?} Warning: E-mail viruses detected
>X-MailScanner-Information: Please contact the ISP for more information
>X-MailScanner: Found to be infected
>
>Content-Type: text/plain; charset="us-ascii"; name="VirusWarning.txt"
>Content-Disposition: inline; filename="VirusWarning.txt"
>Content-Transfer-Encoding: quoted-printable
>
>This is a message from the MailScanner E-Mail Virus Protection Service
>----------------------------------------------------------------------
>The original e-mail attachment "the entire message"
>was believed to be infected by a virus and has been replaced by this warning
>message.
>
>If you wish to receive a copy of the *infected* attachment, please
>e-mail helpdesk and include the whole of this message
>in your request. Alternatively, you can call them, with
>the contents of this message to hand when you call.
>
>At Fri Sep  5 10:05:02 2003 the virus scanner said:
>   Denial of Service attack in message!
>
>Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quaran=
>tine/20030905 (message h85852wQ002545).
>--=20
>Postmaster
>Mailscanner thanks transtec Computers for their support
>
></snip-mbox>
>
>
>--
>shrek-m

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

