Mailscanner marking DOS Attack on 2 different servers

Stephen Conway sconway at WLNET.COM
Fri Jun 18 21:12:36 IST 2004


Good day:

Can someone advise me how where / how to update my McAfee engine?

Thanks,

Steve



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Miguel Koren O'Brien de Lacy
Sent: Friday, June 18, 2004 11:53 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Mailscanner marking DOS Attack on 2 different servers

A few months ago one of the servers we managed started developing very
high cpu loads due to what we think was a bug in a SQL statement
(Firebird) that eventually required a local hard reboot because ssh
access was impossible (the cryptography was probably too slow to be done
before a time out). I noticed in the maillog that during the many hours
that the server was struggling with this situation, there were many
cases of a DOS being reported. I assumed that it had to do with the fact
that Clam was not able to complete the scan of zipped files in time for
Mail Scanner and so Mail Scanner assumed a DOS attack. This was on
Fedora C1 and the Clam/MailScanner versions current in March more or
less. Unfortunately we never did find the SQL error because the
statements (including joins) are generated in the application on the fly
from other parameters. We did change some of the logic but there is no
100% proof that this 'fixed' it.

Miguel

Julian Field wrote:

> Somebody else saw this and in their case it turned out to be their virus
> scanner not returning due to having screwed its virus definitions.
> Try running your virus scanner by hand and see what happens.
>
> At 14:57 18/06/2004, you wrote:
>
>> I have two different servers that just started developing problems with
>> mailscanner marking all inbound and outbound email a denial of service
>> attack.
>>
>> I've been searching the archives trying to figure out what could be
>> wrong,
>> but can't really find anything. It seems that maybe it's caused by a
>> timeout
>> on dns, but nothing has changed on these two servers in many weeks.
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> -------------------------- MailScanner list ----------------------
> To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/     and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
>



--
Esta mensagem foi verificada pelo sistema de antivmrus e
 acredita-se estar livre de perigo.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list