Phishing detector apparently slogged up my server

Thu Nov 18 12:09:45 GMT 2004

I have found and fixed the problem with the (malformed) messages. Attached
is a new Message.pm for those of you who just want this update.

I will also release a new beta after lunch, including this change and all
the other phishing net improvements among other things. I now support RedHat
Enterprise Server 4 beta 2 as well.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

On 18/11/04 9:07 am, "Julian Field" <mailscanner at ecs.soton.ac.uk> wrote:

> On 18/11/04 8:40 am, "Bruce Rahn" <brahn at woh.rr.com> wrote:
>> Greg Deputy wrote:
>>
>>> Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>>> turned on.  Currently acting as a gateway (no mail on server, all gets
>>> scanned and passed on to another server for delivery) for about 500 mail
>>> boxes on 100 hosted domains.
>>>
>>> Today I was looking at my mailscanner-mrtg page
>>> (http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
>>> 1:30 am the CPU pegged on the box.  I spent some time trying to figure
>>> out why, looking at the logs for a DOS attack or some evidence that the
>>> box had been compromised, but found nothing.
>>>
>>> What I eventually figured out was Mailscanner seemed to be hitting the
>>> same mail in the postfix hold queue over and over again.  It would hit
>>> the mail, and apparently restart.  It would seem to hit the queue,
>>> process a few messages, hit one, and then choke, restart.  It also
>>> caused the CPU to be a lot more active (85% +) than it normally is
>>> (~25%).
>>>
>>> I believe it was dying in the phishing detector logic for 2 reasons.
>>> One, I kept seeing the same phishing detection over and over again in
>>> the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>>> restarted MailScanner, and the queue cleared out and CPU dropped back to
>>> normal.
>>>
>>>
>>>
>> [stuff deleted]
>>
>>>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>>> http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
>>> Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>>> Motion DNA<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>>>
>>>
>> I had the exact same thing happen today on what looks like the exact
>> same SPAM message.  It was looping over, and over, and over again.
>>
>> Something about that message MailScanner didn't like.
>
> In which case can someone send me a copy of the message please? Don't mind
> much what format, I can handle most things.
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Application/OCTET-STREAM (Name: "Message.pm.gz")  54KB. ]
    [ Unable to print this part. ]