Denial Of Service attack handling by MS 4.54.6

Wed Jul 26 18:15:44 IST 2006

Please can you put a copy of the message on a web URL somewhere and mail 
me (off-list!) the URL so I can go and get it?

What happens (or should happen) is this:
Message Batch is scanned at one go
Scanner times out
Message Batch is scanned one message at a time, looking for the nasty 
message
Scanner times out on the nasty message
DoS attack detected.
Message should be handled as a normal virus infection, not a silent one.

I could really do with a copy of the message if at all possible.

I certainly wouldn't advise setting the Virus Scanner Timeout any higher 
than the default (5 minutes). You could easily reduce it to 2 minutes on 
most systems, my default is very conservative.

It will always take at least double that figure to process the batch, 
but I'm a bit worried by the factor of 4 you are seeing. Hence the need 
to test it.

Jim Holland wrote:
> Hi Julian
> 
> I have only just installed the above version of MailScanner and was 
> interested to see how it dealt with the problem of DOS attacks affecting 
> the virus scanner.  I came across an example this morning:
> 
> 	The message was 650 KB in size, with a PowerPoint attachment
> 
> 	10 minutes after scanning of the batch started, MailScanner reported
> 	"Commercial scanner clamav timed out!" (this corresponds with
> 	the time configured for Virus Scanner Timeout) followed by
> 	"Denial Of Service attack detected!"
> 
> 	10 minutes later there was another maillog entry reporting 
> 	"Commercial scanner clamav timed out!" again followed by details
> 	of which message caused the denial of service attack.
> 
> 	22 minutes after the above, the message was finally quarantined.
> 
> I presume that the above actions are as now intended.  However there are 
> still some associated problems:
> 
> 	The complete batch of 16 messages totalling 805877 bytes took a 
> 	full 45 minutes to be processed before the uninfected messages 
> 	were delivered, in spite of my having set Virus Scanner Timeout to
> 	10 minutes per batch.
> 
> 	The message was treated as containing a silent virus, so there
> 	was no notification to the recipient.
> 
> Are the following changes possible and if so, agreeable to you:
> 
> 	Stop virus scanning any individual message once it exceeds a 
> 	reasonable time - eg if "Virus Scanner Timeout = 300", then stop 
> 	scanning a message after say (300/no of msgs in batch)*10 secs
> 	or the full virus scanner timeout time, whichever is the smaller.
> 
> 	Flag the message as being infected with a Denial of Service attack
> 	(as it does now).
> 
> 	Remove "Denial Of Service attack" from the list of silent viruses,
> 	so that such messages are delivered with a notice to say that the
> 	attachment has been removed.
> 
> I presume that the final option could alternatively be handled by simply 
> adding:
> 
> 	Virus:	/Denial.of.Service/	yes
> to
> 	still_deliver_silent_viruses.rules
> 
> which is what I have now done.  However I think that in general such cases 
> are far more likely to be genuine files than deliberately crafted bombs.
> 
> Regards
> 
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
> 

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.