DOS and Oversized Zip

Stephe Campbell campbell at CNPAPERS.COM
Tue Feb 24 14:01:38 GMT 2004


I'm curious as to the configuration of clam. I thought, based on the
Faq-o-matic, that clam did not require configuration, and that all
parameters were passed to it from MS.

Is this only used in the manual mode of operation or does there need to be
something set up in clamav.conf for MS?

Thanks

Steve Campbell
campbell at cnpapers.com
Charleston Newspapers


----- Original Message -----
From: "Rick Cooper" <rcooper at DWFORD.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, February 23, 2004 7:39 PM
Subject: Re: DOS and Oversized Zip


> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of MailScanner Mailbox
> > Sent: Monday, February 23, 2004 1:11 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: DOS and Oversized Zip
> >
> >
> > Hello All
> >
> > I think that this may be a clamav problem rather then
> > a mailscanner
> > problem but I am not 100% sure. I am running
> > MailScanner 4.22-4 and clamav
> > 0.67.
> >
> > It seems that recently I am getting many many emails
> > turned away with the
> > message "Denial of Service attack in message!"  It
> > seems to be caused by a
> > zipfile that expands many times it's zipped size,
> > (isn't this the purpose
> > of zipping a file)?
>
> There are ways to handcraft a zip file so it expands from a few
> bytes to a couple of terabytes, used to be called "The Zip of
> death". Clam allows you to restrict the compression ratio to
> avoid "Zip bombs" of this nature. Imagine the problems if you
> received a zip bomb that was a few hundred K compressed and a few
> gig uncompressed?
>
> >
> > Anyways, there is some info I googled that mentions
> > editing the scanners.c
> > file (specifically "ZIPOSDET") to increase the value.
> > I don't see that
> > option available in clamav 0.67 so perhaps it is
> > something I can set
> > within the mailscanner config file?
> >
> > I have confirmed that the file being sent is a zip
> > file containing 3 txt
> > files (one of them is 5mb) and it compresses down to 220kb.
> >
> > Any and all help concerning this is most appreciated.
> >
>
> look in your clamav.conf file for:
>
> # Mark potential archive bombs as viruses (0 disables the limit)
> ArchiveMaxCompressionRatio 200
>
> and set it to what you think appropriate for your system. If it's
> not there add it.



More information about the MailScanner mailing list