Report: Denial of Service attack in message!

Norbert Schmidt norbert.schmidt at interactivedata.com
Wed May 16 09:46:40 IST 2007


Hi Jules,

the Value for "Virus Scanner Timeout" was still on the old standard (I 
belive) 30 seconds. I haven't changed that, but I've changed the version 
of clamav due to regular updates. This must have let to the problem. I've 
now raised the timeout to 300 seconds and all is quiet now. 

I think there is a big problem with the classification as "Denial of 
service attack" when the virusscanner times out because all messages in 
that batch are marked as "containing a virus" and thus are thrown away. 
This can lead to loss of a lot of legitimate mail that happened to be in 
the same batch with a mail containing a "Denial of service attack".  I 
guess an option, to control this behaviour would be usefull. 

I do not have the Mail::ClamAV module installed but will do so now. 

This leads me to a question... Is it better to upgrade MailScanner or is 
it better to install the new version each time?
We've been using MailScanner for the last 3 years now. I didn't go thru 
every version, but always skipped a few as it is always quite some hassel 
to go thru all options and set them up appropriate. Is there a way to set 
the seldom changed options like Company name, webpage etc. So after an 
update these things stay the same...

Thanks for your help

Norbert 

----- Message from Julian Field <MailScanner at ecs.soton.ac.uk> on Tue, 15 
May 2007 15:12:02 +0100 -----
To:
MailScanner discussion <mailscanner at lists.mailscanner.info>
Subject:
Re: Report: Denial of Service attack in message!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This could happen if for some reason clamscan is asking for user input. 
This should not happen in normal situations, obviously.

Have you changed the "Virus Scanner Timeout" setting from the default 
(300 seconds == 5 minutes)?
Run the command
    MailScanner --changed | grep 'timeout'
and tell me what it says.
It should be left at the default value of 300 seconds. The new 0.90 
clamscan is very slow to start up and could easily take 30 seconds to 
scan a large batch of messages. From your log entries below, I think you 
have changed the timeout :-(

Do you have the clamavmodule Mail::ClamAV perl module installed? 
"MailScanner -version" will tell you. And "MailScanner -lint" will tell 
you if it thinks you have the support for the clamavmodule scanner all 
installed. If you do have it all installed okay (and you need 
Mail::ClamAV version 0.20 for ClamAV 0.90 !) then try using the 
"clamavmodule" instead of the "clamav" virus scanner.

Then see if this helps solve the problem.

Jules.

Norbert Schmidt wrote:
> Hi,
>
> I am seeing quite a few "Report: Denial of Service attack in message!" 
in 
> the logfiles.
>
> The mails are quarantined since I selected to quarantine silent viruses.
>
>
> May 15 13:52:52 localhost MailScanner[30916]: Virus and Content 
Scanning: 
> Starting
> May 15 13:53:23 localhost MailScanner[30916]: Commercial scanner clamav 
> timed out!
> May 15 13:53:23 localhost MailScanner[30916]: clamav: Failed to 
complete, 
> timed out
> May 15 13:53:23 localhost MailScanner[30916]: Virus Scanning: Denial Of 
> Service attack detected!
> May 15 13:53:54 localhost MailScanner[30916]: Commercial scanner clamav 
> timed out!
> May 15 13:53:54 localhost MailScanner[30916]: clamav: Failed to 
complete, 
> timed out
> May 15 13:53:54 localhost MailScanner[30916]: Virus Scanning: Denial Of 
> Service attack is in message 096EAC42EE.ABDA7
> May 15 13:54:56 localhost MailScanner[30916]: Infected message 
> 096EAC42EE.ABDA7 came from xxx.11.206.74
> May 15 13:54:56 localhost MailScanner[30916]: HTML Img tag found in 
> message B34D6C441C.201C8 from cakrystyemi at iriomote.com
> May 15 13:54:56 localhost MailScanner[30916]: <A> tag found in message 
> 69E50C42EF.E6402 from
> May 15 13:54:56 localhost MailScanner[30916]: Virus Scanning completed 
at 
> 479 bytes per second
> May 15 13:54:56 localhost MailScanner[30916]: Saved entire message to 
> /var/spool/MailScanner/quarantine/20070515/096EAC42EE.ABDA7
> May 15 13:54:56 localhost MailScanner[30916]: Viruses marked as silent: 
> Denial of Service attack in message!
> May 15 13:54:5
>
>
> The mails are legitimate and it doesn't look like there is anything 
fishy 
> about them.
>
>
> The server is not experiencing a very heavy load the problem comes up a 
> few minutes after the server is started.
> I've got a second machine running an older version of Mailscanner (
> 4.55.10-3), which is also experiencing clamav time outs, but not marking 

> those mails as Viruses.
> Is there any option I can set to still deliver these mails?
>
> OS: Debian Sarge
> Mailscanner Version is 4.57.6-1
> Clamav Version is: 0.90.2-1+b1
>
> Regards
>
> Norbert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3972 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070516/b04d7fc7/smime.bin


More information about the MailScanner mailing list