DoS lack of logs

Jim Holland mailscanner at mango.zw
Mon Oct 23 09:19:28 IST 2006 

On Mon, 16 Oct 2006, shuttlebox wrote:

> On 10/9/06, Jim Holland <mailscanner at mango.zw> wrote:
> > I am pretty sure that this is only a problem on older versions of
> > MailScanner and that if you update to the current version the problem will
> > disappear.  Not only does the current version minimise the chances of a
> > denial of service problem occurring, but if it does occur it will also
> > report more helpfully:
> >
> >         Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871
> >
> > so that you know where the problem is.  The problem message will then be
> > quarantined so that it can be dealt with manually if required and the rest
> > of the system will carry on without interference.
> 
> I'm now running 4.56.8 and I don't get the above (crystal clear) log
> message, instead I get the old: Virus Scanning: Denial Of Service
> attack detected!
> 
> There's no sign of it getting quarantined either, maybe it is but I
> can't tell from the logs. Every time I get a DoS attempt I want to
> check out the message because it's often legit mail causing it. A
> message like this would be helpful:
> 
> Virus Scanning: Denial Of Service attack is in message k7GDK0Nb020871.
> Message quarantined.
> 
> Then you know what happened to which message.

Sorry - I missed your reply earlier.

Check your /usr/lib/MailScanner/MailScanner/SweepViruses.pm file.  It 
should have the following code in it:

        MailScanner::Log::WarnLog("Virus Scanning: Denial Of Service " .
                                  "attack is in message %s", $id);
  
I am running MailScanner version 4.56.1 but have not checked out version 
4.56.8.

The new method of processing will in fact give two reports in the log file
AFAIK - first the initial "Virus Scanning: Denial Of Service" when there
is a problem with a batch.  That will not identify the individual problem
message.  Then MailScanner will process the messages singly, and only if
it fails to process one of the messages in the batch will it give the more
explicit message.  It will then quarantine that problem message so it
doesn't delay the rest of the mail.  I suspect that in your case when
MailScanner reverted to individual message processing there was no further
problem, the mail was processed OK, and so there was no need to log
anything more in the log file.  Under earlier versions the same batch
would be processed over and over.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list