Phishing detector apparently slogged up my server

Bruce Rahn brahn at woh.rr.com
Thu Nov 18 08:40:20 GMT 2004 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Greg Deputy wrote:

>Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>turned on.  Currently acting as a gateway (no mail on server, all gets
>scanned and passed on to another server for delivery) for about 500 mail
>boxes on 100 hosted domains.
>
>Today I was looking at my mailscanner-mrtg page
>(http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
>1:30 am the CPU pegged on the box.  I spent some time trying to figure
>out why, looking at the logs for a DOS attack or some evidence that the
>box had been compromised, but found nothing.
>
>What I eventually figured out was Mailscanner seemed to be hitting the
>same mail in the postfix hold queue over and over again.  It would hit
>the mail, and apparently restart.  It would seem to hit the queue,
>process a few messages, hit one, and then choke, restart.  It also
>caused the CPU to be a lot more active (85% +) than it normally is
>(~25%).
>
>I believe it was dying in the phishing detector logic for 2 reasons.
>One, I kept seeing the same phishing detection over and over again in
>the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>restarted MailScanner, and the queue cleared out and CPU dropped back to
>normal.
>
>
>
[stuff deleted]

>
>Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
>Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>Motion DNA<br>
>Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>
>
I had the exact same thing happen today on what looks like the exact
same SPAM message.  It was looping over, and over, and over again.

Something about that message MailScanner didn't like.

Bruce

--
Bruce Rahn

Wisdom has two parts:
1.  having a lot to say; and
2.  not saying it!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list