Denial Of Service attack handling by MS 4.54.6

Jim Holland mailscanner at mango.zw
Wed Jul 26 16:09:22 IST 2006 

Hi Julian

I have only just installed the above version of MailScanner and was 
interested to see how it dealt with the problem of DOS attacks affecting 
the virus scanner.  I came across an example this morning:

	The message was 650 KB in size, with a PowerPoint attachment

	10 minutes after scanning of the batch started, MailScanner reported
	"Commercial scanner clamav timed out!" (this corresponds with
	the time configured for Virus Scanner Timeout) followed by
	"Denial Of Service attack detected!"

	10 minutes later there was another maillog entry reporting 
	"Commercial scanner clamav timed out!" again followed by details
	of which message caused the denial of service attack.

	22 minutes after the above, the message was finally quarantined.

I presume that the above actions are as now intended.  However there are 
still some associated problems:

	The complete batch of 16 messages totalling 805877 bytes took a 
	full 45 minutes to be processed before the uninfected messages 
	were delivered, in spite of my having set Virus Scanner Timeout to
	10 minutes per batch.

	The message was treated as containing a silent virus, so there
	was no notification to the recipient.

Are the following changes possible and if so, agreeable to you:

	Stop virus scanning any individual message once it exceeds a 
	reasonable time - eg if "Virus Scanner Timeout = 300", then stop 
	scanning a message after say (300/no of msgs in batch)*10 secs
	or the full virus scanner timeout time, whichever is the smaller.

	Flag the message as being infected with a Denial of Service attack
	(as it does now).

	Remove "Denial Of Service attack" from the list of silent viruses,
	so that such messages are delivered with a notice to say that the
	attachment has been removed.

I presume that the final option could alternatively be handled by simply 
adding:

	Virus:	/Denial.of.Service/	yes
to
	still_deliver_silent_viruses.rules

which is what I have now done.  However I think that in general such cases 
are far more likely to be genuine files than deliberately crafted bombs.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list