Phishing detector apparently slogged up my server

Julian Field mailscanner at ecs.soton.ac.uk
Thu Nov 18 09:07:30 GMT 2004


On 18/11/04 8:40 am, "Bruce Rahn" <brahn at woh.rr.com> wrote:
> Greg Deputy wrote:
>
>> Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>> turned on.  Currently acting as a gateway (no mail on server, all gets
>> scanned and passed on to another server for delivery) for about 500 mail
>> boxes on 100 hosted domains.
>>
>> Today I was looking at my mailscanner-mrtg page
>> (http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
>> 1:30 am the CPU pegged on the box.  I spent some time trying to figure
>> out why, looking at the logs for a DOS attack or some evidence that the
>> box had been compromised, but found nothing.
>>
>> What I eventually figured out was Mailscanner seemed to be hitting the
>> same mail in the postfix hold queue over and over again.  It would hit
>> the mail, and apparently restart.  It would seem to hit the queue,
>> process a few messages, hit one, and then choke, restart.  It also
>> caused the CPU to be a lot more active (85% +) than it normally is
>> (~25%).
>>
>> I believe it was dying in the phishing detector logic for 2 reasons.
>> One, I kept seeing the same phishing detection over and over again in
>> the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>> restarted MailScanner, and the queue cleared out and CPU dropped back to
>> normal.
>>
>>
>>
> [stuff deleted]
>
>>
>> Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>> http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
>> Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>> Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>> Motion DNA<br>
>> Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>> Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>> Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>> Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>>
>>
> I had the exact same thing happen today on what looks like the exact
> same SPAM message.  It was looping over, and over, and over again.
>
> Something about that message MailScanner didn't like.

In which case can someone send me a copy of the message please? Don't mind
much what format, I can handle most things.
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list