Phishing detector apparently slogged up my server

Ed Bruce ebruce at HPMICH.COM
Thu Nov 18 12:53:25 GMT 2004


Thanks for the fix. I just turned off phishing checks when I reported
this problem and got no response.

Julian Field wrote:

 I have found and fixed the problem with the (malformed) messages. Attached
is a new Message.pm for those of you who just want this update.

I will also release a new beta after lunch, including this change and all
the other phishing net improvements among other things. I now support RedHat
Enterprise Server 4 beta 2 as well.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


On 18/11/04 9:07 am, "Julian Field" <mailscanner at ecs.soton.ac.uk> wrote:

  

 On 18/11/04 8:40 am, "Bruce Rahn" <brahn at woh.rr.com> wrote:
    

 Greg Deputy wrote:

      

 Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
turned on.  Currently acting as a gateway (no mail on server, all gets
scanned and passed on to another server for delivery) for about 500 mail
boxes on 100 hosted domains.

Today I was looking at my mailscanner-mrtg page
(http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
1:30 am the CPU pegged on the box.  I spent some time trying to figure
out why, looking at the logs for a DOS attack or some evidence that the
box had been compromised, but found nothing.

What I eventually figured out was Mailscanner seemed to be hitting the
same mail in the postfix hold queue over and over again.  It would hit
the mail, and apparently restart.  It would seem to hit the queue,
process a few messages, hit one, and then choke, restart.  It also
caused the CPU to be a lot more active (85% +) than it normally is
(~25%).

I believe it was dying in the phishing detector logic for 2 reasons.
One, I kept seeing the same phishing detection over and over again in
the logs.  Two, I turned off the phishing detection in MailScanner.conf,
restarted MailScanner, and the queue cleared out and CPU dropped back to
normal.



        

 [stuff deleted]

      

 Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
Motion DNA<br>
Nov 17 09:01:05 mx MailScanner[32483]:   <br>
Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>


        

 I had the exact same thing happen today on what looks like the exact
same SPAM message.  It was looping over, and over, and over again.

Something about that message MailScanner didn't like.
      

 In which case can someone send me a copy of the message please? Don't mind
much what format, I can handle most things.
    

 --
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

  


 --
Ed Bruce
Health Plan of Michigan
Senior Programmer
Phone:  248.226.1512
FAX:    248.204.6569


--
This message, including any attachments, is intended solely for the use
of the named
recipients(s) and may contain confidential and/or privileged information.
Any
unauthorized review, use, disclosure or distribution of this
communication is expressly
prohibited. If you are not the intended recipient, please contact the
sender by reply
e-mail and destroy any and all copies of the original message. Thank you
for your
cooperation.
--
This message has been scanned for viruses and
dangerous content by Secure Resource, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list