Denial Of Service attack handling by MS 4.54.6
mailscanner at mango.zw
Wed Jul 26 16:09:22 IST 2006
I have only just installed the above version of MailScanner and was
interested to see how it dealt with the problem of DOS attacks affecting
the virus scanner. I came across an example this morning:
The message was 650 KB in size, with a PowerPoint attachment
10 minutes after scanning of the batch started, MailScanner reported
"Commercial scanner clamav timed out!" (this corresponds with
the time configured for Virus Scanner Timeout) followed by
"Denial Of Service attack detected!"
10 minutes later there was another maillog entry reporting
"Commercial scanner clamav timed out!" again followed by details
of which message caused the denial of service attack.
22 minutes after the above, the message was finally quarantined.
I presume that the above actions are as now intended. However there are
still some associated problems:
The complete batch of 16 messages totalling 805877 bytes took a
full 45 minutes to be processed before the uninfected messages
were delivered, in spite of my having set Virus Scanner Timeout to
10 minutes per batch.
The message was treated as containing a silent virus, so there
was no notification to the recipient.
Are the following changes possible and if so, agreeable to you:
Stop virus scanning any individual message once it exceeds a
reasonable time - eg if "Virus Scanner Timeout = 300", then stop
scanning a message after say (300/no of msgs in batch)*10 secs
or the full virus scanner timeout time, whichever is the smaller.
Flag the message as being infected with a Denial of Service attack
(as it does now).
Remove "Denial Of Service attack" from the list of silent viruses,
so that such messages are delivered with a notice to say that the
attachment has been removed.
I presume that the final option could alternatively be handled by simply
Virus: /Denial.of.Service/ yes
which is what I have now done. However I think that in general such cases
are far more likely to be genuine files than deliberately crafted bombs.
MANGO - Zimbabwe's non-profit e-mail service
More information about the MailScanner