Phishing detector apparently slogged up my server

Chris Stone cstone at AXINT.NET
Thu Nov 18 20:33:09 GMT 2004 

Julian,

If this Message.pm the same that is in the 4.36.1 release? Or are there
still problems with this code that is further fixed in the 4.36.1 release?


Chris


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Julian Field
Sent: Thursday, November 18, 2004 5:10 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Phishing detector apparently slogged up my server

I have found and fixed the problem with the (malformed) messages. Attached
is a new Message.pm for those of you who just want this update.

I will also release a new beta after lunch, including this change and all
the other phishing net improvements among other things. I now support RedHat
Enterprise Server 4 beta 2 as well.

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


On 18/11/04 9:07 am, "Julian Field" <mailscanner at ecs.soton.ac.uk> wrote:

> On 18/11/04 8:40 am, "Bruce Rahn" <brahn at woh.rr.com> wrote:
>> Greg Deputy wrote:
>>
>>> Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>>> turned on.  Currently acting as a gateway (no mail on server, all gets
>>> scanned and passed on to another server for delivery) for about 500 mail
>>> boxes on 100 hosted domains.
>>>
>>> Today I was looking at my mailscanner-mrtg page
>>> (http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
>>> 1:30 am the CPU pegged on the box.  I spent some time trying to figure
>>> out why, looking at the logs for a DOS attack or some evidence that the
>>> box had been compromised, but found nothing.
>>>
>>> What I eventually figured out was Mailscanner seemed to be hitting the
>>> same mail in the postfix hold queue over and over again.  It would hit
>>> the mail, and apparently restart.  It would seem to hit the queue,
>>> process a few messages, hit one, and then choke, restart.  It also
>>> caused the CPU to be a lot more active (85% +) than it normally is
>>> (~25%).
>>>
>>> I believe it was dying in the phishing detector logic for 2 reasons.
>>> One, I kept seeing the same phishing detection over and over again in
>>> the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>>> restarted MailScanner, and the queue cleared out and CPU dropped back to
>>> normal.
>>>
>>>
>>>
>> [stuff deleted]
>>
>>>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>>> http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
>>> Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>>> Motion DNA<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>>> Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>>>
>>>
>> I had the exact same thing happen today on what looks like the exact
>> same SPAM message.  It was looping over, and over, and over again.
>>
>> Something about that message MailScanner didn't like.
>
> In which case can someone send me a copy of the message please? Don't mind
> much what format, I can handle most things.
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list