Mailscanner marking DOS Attack on 2 different servers

Miguel Koren O'Brien de Lacy miguelk at KONSULTEX.COM.BR
Fri Jun 18 16:52:30 IST 2004


A few months ago one of the servers we managed started developing very 
high cpu loads due to what we think was a bug in a SQL statement 
(Firebird) that eventually required a local hard reboot because ssh 
access was impossible (the cryptography was probably too slow to be done 
before a time out). I noticed in the maillog that during the many hours 
that the server was struggling with this situation, there were many 
cases of a DOS being reported. I assumed that it had to do with the fact 
that Clam was not able to complete the scan of zipped files in time for 
Mail Scanner and so Mail Scanner assumed a DOS attack. This was on 
Fedora C1 and the Clam/MailScanner versions current in March more or 
less. Unfortunately we never did find the SQL error because the 
statements (including joins) are generated in the application on the fly 
from other parameters. We did change some of the logic but there is no 
100% proof that this 'fixed' it.

Miguel

Julian Field wrote:

> Somebody else saw this and in their case it turned out to be their virus
> scanner not returning due to having screwed its virus definitions.
> Try running your virus scanner by hand and see what happens.
>
> At 14:57 18/06/2004, you wrote:
>
>> I have two different servers that just started developing problems with
>> mailscanner marking all inbound and outbound email a denial of service
>> attack.
>>
>> I've been searching the archives trying to figure out what could be 
>> wrong,
>> but can't really find anything. It seems that maybe it's caused by a 
>> timeout
>> on dns, but nothing has changed on these two servers in many weeks.
>
>
> -- 
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>



-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list