Denial Of Service attack handling by MS 4.54.6

Julian Field mailscanner at
Wed Jul 26 18:15:44 IST 2006

Please can you put a copy of the message on a web URL somewhere and mail 
me (off-list!) the URL so I can go and get it?

What happens (or should happen) is this:
Message Batch is scanned at one go
Scanner times out
Message Batch is scanned one message at a time, looking for the nasty 
Scanner times out on the nasty message
DoS attack detected.
Message should be handled as a normal virus infection, not a silent one.

I could really do with a copy of the message if at all possible.

I certainly wouldn't advise setting the Virus Scanner Timeout any higher 
than the default (5 minutes). You could easily reduce it to 2 minutes on 
most systems, my default is very conservative.

It will always take at least double that figure to process the batch, 
but I'm a bit worried by the factor of 4 you are seeing. Hence the need 
to test it.

Jim Holland wrote:
> Hi Julian
> I have only just installed the above version of MailScanner and was 
> interested to see how it dealt with the problem of DOS attacks affecting 
> the virus scanner.  I came across an example this morning:
> 	The message was 650 KB in size, with a PowerPoint attachment
> 	10 minutes after scanning of the batch started, MailScanner reported
> 	"Commercial scanner clamav timed out!" (this corresponds with
> 	the time configured for Virus Scanner Timeout) followed by
> 	"Denial Of Service attack detected!"
> 	10 minutes later there was another maillog entry reporting 
> 	"Commercial scanner clamav timed out!" again followed by details
> 	of which message caused the denial of service attack.
> 	22 minutes after the above, the message was finally quarantined.
> I presume that the above actions are as now intended.  However there are 
> still some associated problems:
> 	The complete batch of 16 messages totalling 805877 bytes took a 
> 	full 45 minutes to be processed before the uninfected messages 
> 	were delivered, in spite of my having set Virus Scanner Timeout to
> 	10 minutes per batch.
> 	The message was treated as containing a silent virus, so there
> 	was no notification to the recipient.
> Are the following changes possible and if so, agreeable to you:
> 	Stop virus scanning any individual message once it exceeds a 
> 	reasonable time - eg if "Virus Scanner Timeout = 300", then stop 
> 	scanning a message after say (300/no of msgs in batch)*10 secs
> 	or the full virus scanner timeout time, whichever is the smaller.
> 	Flag the message as being infected with a Denial of Service attack
> 	(as it does now).
> 	Remove "Denial Of Service attack" from the list of silent viruses,
> 	so that such messages are delivered with a notice to say that the
> 	attachment has been removed.
> I presume that the final option could alternatively be handled by simply 
> adding:
> 	Virus:	/Denial.of.Service/	yes
> to
> 	still_deliver_silent_viruses.rules
> which is what I have now done.  However I think that in general such cases 
> are far more likely to be genuine files than deliberately crafted bombs.
> Regards
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service

Julian Field
Buy the MailScanner book at

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list