Report: Denial of Service attack in message!

Julian Field MailScanner at ecs.soton.ac.uk
Tue May 15 15:12:02 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This could happen if for some reason clamscan is asking for user input. 
This should not happen in normal situations, obviously.

Have you changed the "Virus Scanner Timeout" setting from the default 
(300 seconds == 5 minutes)?
Run the command
    MailScanner --changed | grep 'timeout'
and tell me what it says.
It should be left at the default value of 300 seconds. The new 0.90 
clamscan is very slow to start up and could easily take 30 seconds to 
scan a large batch of messages. From your log entries below, I think you 
have changed the timeout :-(

Do you have the clamavmodule Mail::ClamAV perl module installed? 
"MailScanner -version" will tell you. And "MailScanner -lint" will tell 
you if it thinks you have the support for the clamavmodule scanner all 
installed. If you do have it all installed okay (and you need 
Mail::ClamAV version 0.20 for ClamAV 0.90 !) then try using the 
"clamavmodule" instead of the "clamav" virus scanner.

Then see if this helps solve the problem.

Jules.

Norbert Schmidt wrote:
> Hi,
>
> I am seeing quite a few "Report: Denial of Service attack in message!" in 
> the logfiles.
>
> The mails are quarantined since I selected to quarantine silent viruses.
>
>
> May 15 13:52:52 localhost MailScanner[30916]: Virus and Content Scanning: 
> Starting
> May 15 13:53:23 localhost MailScanner[30916]: Commercial scanner clamav 
> timed out!
> May 15 13:53:23 localhost MailScanner[30916]: clamav: Failed to complete, 
> timed out
> May 15 13:53:23 localhost MailScanner[30916]: Virus Scanning: Denial Of 
> Service attack detected!
> May 15 13:53:54 localhost MailScanner[30916]: Commercial scanner clamav 
> timed out!
> May 15 13:53:54 localhost MailScanner[30916]: clamav: Failed to complete, 
> timed out
> May 15 13:53:54 localhost MailScanner[30916]: Virus Scanning: Denial Of 
> Service attack is in message 096EAC42EE.ABDA7
> May 15 13:54:56 localhost MailScanner[30916]: Infected message 
> 096EAC42EE.ABDA7 came from xxx.11.206.74
> May 15 13:54:56 localhost MailScanner[30916]: HTML Img tag found in 
> message B34D6C441C.201C8 from cakrystyemi at iriomote.com
> May 15 13:54:56 localhost MailScanner[30916]: <A> tag found in message 
> 69E50C42EF.E6402 from
> May 15 13:54:56 localhost MailScanner[30916]: Virus Scanning completed at 
> 479 bytes per second
> May 15 13:54:56 localhost MailScanner[30916]: Saved entire message to 
> /var/spool/MailScanner/quarantine/20070515/096EAC42EE.ABDA7
> May 15 13:54:56 localhost MailScanner[30916]: Viruses marked as silent: 
> Denial of Service attack in message!
> May 15 13:54:5
>
>
> The mails are legitimate and it doesn't look like there is anything fishy 
> about them.
>
>
> The server is not experiencing a very heavy load the problem comes up a 
> few minutes after the server is started.
> I've got a second machine running an older version of Mailscanner (
> 4.55.10-3), which is also experiencing clamav time outs, but not marking 
> those mails as Viruses.
> Is there any option I can set to still deliver these mails?
>
> OS: Debian Sarge
> Mailscanner Version is 4.57.6-1
> Clamav Version is: 0.90.2-1+b1
>
> Regards
>
> Norbert
> --
>
> Norbert Schmidt | IT / Systems
> Interactive Data Managed Solutions AG
> ----------------------------------------------------------------------
>
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
Charset: ISO-8859-1

wj8DBQFGSb+3EfZZRxQVtlQRAnIEAKDzuXABcui5a2N+YkBc0ZQsE5+UTwCgsipo
pqyzzSth8d7xqWLhleLWjoc=
=5/X3
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list