Phishing detector apparently slogged up my server

Julian Field mailscanner at
Thu Nov 18 12:09:45 GMT 2004

I have found and fixed the problem with the (malformed) messages. Attached
is a new for those of you who just want this update.

I will also release a new beta after lunch, including this change and all
the other phishing net improvements among other things. I now support RedHat
Enterprise Server 4 beta 2 as well.

Julian Field
Buy the MailScanner book at

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

On 18/11/04 9:07 am, "Julian Field" <mailscanner at> wrote:

> On 18/11/04 8:40 am, "Bruce Rahn" <brahn at> wrote:
>> Greg Deputy wrote:
>>> Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>>> turned on.  Currently acting as a gateway (no mail on server, all gets
>>> scanned and passed on to another server for delivery) for about 500 mail
>>> boxes on 100 hosted domains.
>>> Today I was looking at my mailscanner-mrtg page
>>> ( and noticed that at around
>>> 1:30 am the CPU pegged on the box.  I spent some time trying to figure
>>> out why, looking at the logs for a DOS attack or some evidence that the
>>> box had been compromised, but found nothing.
>>> What I eventually figured out was Mailscanner seemed to be hitting the
>>> same mail in the postfix hold queue over and over again.  It would hit
>>> the mail, and apparently restart.  It would seem to hit the queue,
>>> process a few messages, hit one, and then choke, restart.  It also
>>> caused the CPU to be a lot more active (85% +) than it normally is
>>> (~25%).
>>> I believe it was dying in the phishing detector logic for 2 reasons.
>>> One, I kept seeing the same phishing detection over and over again in
>>> the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>>> restarted MailScanner, and the queue cleared out and CPU dropped back to
>>> normal.
>> [stuff deleted]
>>> Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>>> Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>>> Motion DNA<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>> I had the exact same thing happen today on what looks like the exact
>> same SPAM message.  It was looping over, and over, and over again.
>> Something about that message MailScanner didn't like.
> In which case can someone send me a copy of the message please? Don't mind
> much what format, I can handle most things.
Julian Field
jkf at
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

    [ Part 2, Application/OCTET-STREAM (Name: "")  54KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list