Phishing detector apparently slogged up my server

Thu Nov 18 21:10:35 GMT 2004

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Should be the same.

Chris Stone wrote:

>Julian,
>
>If this Message.pm the same that is in the 4.36.1 release? Or are there
>still problems with this code that is further fixed in the 4.36.1 release?
>
>
>Chris
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Julian Field
>Sent: Thursday, November 18, 2004 5:10 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Phishing detector apparently slogged up my server
>
>I have found and fixed the problem with the (malformed) messages. Attached
>is a new Message.pm for those of you who just want this update.
>
>I will also release a new beta after lunch, including this change and all
>the other phishing net improvements among other things. I now support RedHat
>Enterprise Server 4 beta 2 as well.
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>On 18/11/04 9:07 am, "Julian Field" <mailscanner at ecs.soton.ac.uk> wrote:
>
>
>
>>On 18/11/04 8:40 am, "Bruce Rahn" <brahn at woh.rr.com> wrote:
>>
>>
>>>Greg Deputy wrote:
>>>
>>>
>>>
>>>>Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
>>>>turned on.  Currently acting as a gateway (no mail on server, all gets
>>>>scanned and passed on to another server for delivery) for about 500 mail
>>>>boxes on 100 hosted domains.
>>>>
>>>>Today I was looking at my mailscanner-mrtg page
>>>>(http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
>>>>1:30 am the CPU pegged on the box.  I spent some time trying to figure
>>>>out why, looking at the logs for a DOS attack or some evidence that the
>>>>box had been compromised, but found nothing.
>>>>
>>>>What I eventually figured out was Mailscanner seemed to be hitting the
>>>>same mail in the postfix hold queue over and over again.  It would hit
>>>>the mail, and apparently restart.  It would seem to hit the queue,
>>>>process a few messages, hit one, and then choke, restart.  It also
>>>>caused the CPU to be a lot more active (85% +) than it normally is
>>>>(~25%).
>>>>
>>>>I believe it was dying in the phishing detector logic for 2 reasons.
>>>>One, I kept seeing the same phishing detection over and over again in
>>>>the logs.  Two, I turned off the phishing detection in MailScanner.conf,
>>>>restarted MailScanner, and the queue cleared out and CPU dropped back to
>>>>normal.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>[stuff deleted]
>>>
>>>
>>>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
>>>>http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: <br><br>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
>>>>Motion DNA<br>
>>>>Nov 17 09:01:05 mx MailScanner[32483]:   <br>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br>
>>>>Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>
>>>>
>>>>
>>>>
>>>>
>>>I had the exact same thing happen today on what looks like the exact
>>>same SPAM message.  It was looping over, and over, and over again.
>>>
>>>Something about that message MailScanner didn't like.
>>>
>>>
>>In which case can someone send me a copy of the message please? Don't mind
>>much what format, I can handle most things.
>>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!