tiff causing DOS message

Randy Fishel randyf at SIBERNET.COM
Wed Oct 6 16:16:24 IST 2004


  I have had a small flurry of DoS warnings recently, and took notice this
morning when a couple of automated notices were tagged as DoS attacks.
The log shows a sophossavi timeout, but scanning all the messages in
today's quarantine complete in 7 seconds.

  I am running MS4.33.3 and Sophossavi on Solaris.

-rf

On Wed, 6 Oct 2004, Julian Field wrote:

> That will be it. I can't remember whether you can change the timeout in
> MailScanner.conf or not, it's something that people never normally need to
> tweak.
>
> At 21:36 05/10/2004, you wrote:
> >Hello Julian
> >
> >Scanning the file by itself produces the following output:
> >
> >----------- SCAN SUMMARY -----------
> >Known viruses: 24829
> >Scanned directories: 0
> >Scanned files: 1
> >Infected files: 0
> >Data scanned: 2.46 MB
> >I/O buffer size: 131072 bytes
> >Time: 103.994 sec (1 m 43 s)
> >
> >Now when I look at this, it took almost 2 minutes to scan the file, I'm
> >assuming that this is what is causing the DOS message. When I scan a file
> >of similar size it only takes a little over a 1/3 of the time.
> >
> >
> >----------- SCAN SUMMARY -----------
> >Known viruses: 24829
> >Scanned directories: 0
> >Scanned files: 1
> >Infected files: 0
> >Data scanned: 3.33 MB
> >I/O buffer size: 131072 bytes
> >Time: 28.532 sec (0 m 28 s)
> >
> >
> >So now that I think I know why its doing it, is there a way to prevent
> >this from happening.
> >
> >Thank you for the help
> >
> >Rick
> >
> >
> >On Tue, 5 Oct 2004, Julian Field wrote:
> >
> > > What happens when you try to scan the tif manually?
> > >
> > > At 23:32 04/10/2004, you wrote:
> > > >Hello
> > > >
> > > >We have a customer that is attempting to send a tif file that is a little
> > > >over 3.5 mb, when trying to send he receives the following error:
> > > >
> > > >The following e-mails were found to have: Virus Detected
> > > >
> > > >     Sender: xxxxxx at pris.bc.ca
> > > >IP Address: 64.114.126.175
> > > >  Recipient: xxxxxx at peacecountry.com
> > > >    Subject: '...are' sticker
> > > >  MessageID: i94Kea0D007039
> > > >     Report: Denial of Service attack in message!
> > > >             Denial of Service attack in message!
> > > >
> > > >
> > > >The interesting part of the df file is:
> > > >
> > > >--============_-1115191450==_============
> > > >Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> > > >
> > > >hello doris & frances,
> > > >
> > > >please find the attached layout of the sticker that you requested.
> > > >
> > > >
> > > >thanks!
> > > >
> > > >jesh 250-782-6068
> > > >--============_-1115191450==_============
> > > >Content-Id: <a05200f00bd87873eaf3f@[192.168.0.102].0.0>
> > > >Content-Type: image/tiff; name="are.tif"
> > > >  ; x-mac-type="54494646"
> > > >  ; x-mac-creator="3842494D"
> > > >Content-Disposition: attachment; filename="are.tif"
> > > >Content-Transfer-Encoding: base64
> > > >
> > > >
> > > >I have looked as best I can but cannot find a reason for this, we are
> > > >running MS-4.33.3 with ClamAV-0.80rc2
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list