Report: Denial of Service attack in message!

Julian Field MailScanner at ecs.soton.ac.uk
Wed May 16 16:28:42 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Norbert Schmidt wrote:
> * PGP Signed by an unverified key: 05/16/07 at 09:50:51
>
> Hi Jules,
>
> the Value for "Virus Scanner Timeout" was still on the old standard (I 
> belive) 30 seconds. I haven't changed that, but I've changed the version 
> of clamav due to regular updates. This must have let to the problem. I've 
> now raised the timeout to 300 seconds and all is quiet now. 
>   
I didn't think it had ever been much less than 5 minutes. Are you sure 
you didn't just accidentally delete a 0 by mistake one day? :-)
> I think there is a big problem with the classification as "Denial of 
> service attack" when the virusscanner times out because all messages in 
> that batch are marked as "containing a virus" and thus are thrown away. 
>   
Not true.

When it times out scanning a batch, it then carefully goes through the 
batch again, scanning each message in turn to locate the exact message 
which caused the timeout. Only that message is marked as containing a 
denial-of-service attack. It has always worked that way.

> This can lead to loss of a lot of legitimate mail that happened to be in 
> the same batch with a mail containing a "Denial of service attack".  I 
> guess an option, to control this behaviour would be usefull. 
>
> I do not have the Mail::ClamAV module installed but will do so now. 
>
> This leads me to a question... Is it better to upgrade MailScanner or is 
> it better to install the new version each time?
> We've been using MailScanner for the last 3 years now. I didn't go thru 
> every version, but always skipped a few as it is always quite some hassel 
> to go thru all options and set them up appropriate. Is there a way to set 
> the seldom changed options like Company name, webpage etc. So after an 
> update these things stay the same...
>   
Oh dear, have you never read about the script
    upgrade_MailScanner_conf
?
This does all the hard work for you and reduces an upgrade to being a 5 
or 10 minute job.
Just run it without any command-line parameters and it will tell you in 
detail how to use it, complete with sample commands you can just 
cut-and-paste.
> Thanks for your help
>
> Norbert 
>
> ----- Message from Julian Field <MailScanner at ecs.soton.ac.uk> on Tue, 15 
> May 2007 15:12:02 +0100 -----
> To:
> MailScanner discussion <mailscanner at lists.mailscanner.info>
> Subject:
> Re: Report: Denial of Service attack in message!
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This could happen if for some reason clamscan is asking for user input. 
> This should not happen in normal situations, obviously.
>
> Have you changed the "Virus Scanner Timeout" setting from the default 
> (300 seconds == 5 minutes)?
> Run the command
>     MailScanner --changed | grep 'timeout'
> and tell me what it says.
> It should be left at the default value of 300 seconds. The new 0.90 
> clamscan is very slow to start up and could easily take 30 seconds to 
> scan a large batch of messages. From your log entries below, I think you 
> have changed the timeout :-(
>
> Do you have the clamavmodule Mail::ClamAV perl module installed? 
> "MailScanner -version" will tell you. And "MailScanner -lint" will tell 
> you if it thinks you have the support for the clamavmodule scanner all 
> installed. If you do have it all installed okay (and you need 
> Mail::ClamAV version 0.20 for ClamAV 0.90 !) then try using the 
> "clamavmodule" instead of the "clamav" virus scanner.
>
> Then see if this helps solve the problem.
>
> Jules.
>
> Norbert Schmidt wrote:
>   
>> Hi,
>>
>> I am seeing quite a few "Report: Denial of Service attack in message!" 
>>     
> in 
>   
>> the logfiles.
>>
>> The mails are quarantined since I selected to quarantine silent viruses.
>>
>>
>> May 15 13:52:52 localhost MailScanner[30916]: Virus and Content 
>>     
> Scanning: 
>   
>> Starting
>> May 15 13:53:23 localhost MailScanner[30916]: Commercial scanner clamav 
>> timed out!
>> May 15 13:53:23 localhost MailScanner[30916]: clamav: Failed to 
>>     
> complete, 
>   
>> timed out
>> May 15 13:53:23 localhost MailScanner[30916]: Virus Scanning: Denial Of 
>> Service attack detected!
>> May 15 13:53:54 localhost MailScanner[30916]: Commercial scanner clamav 
>> timed out!
>> May 15 13:53:54 localhost MailScanner[30916]: clamav: Failed to 
>>     
> complete, 
>   
>> timed out
>> May 15 13:53:54 localhost MailScanner[30916]: Virus Scanning: Denial Of 
>> Service attack is in message 096EAC42EE.ABDA7
>> May 15 13:54:56 localhost MailScanner[30916]: Infected message 
>> 096EAC42EE.ABDA7 came from xxx.11.206.74
>> May 15 13:54:56 localhost MailScanner[30916]: HTML Img tag found in 
>> message B34D6C441C.201C8 from cakrystyemi at iriomote.com
>> May 15 13:54:56 localhost MailScanner[30916]: <A> tag found in message 
>> 69E50C42EF.E6402 from
>> May 15 13:54:56 localhost MailScanner[30916]: Virus Scanning completed 
>>     
> at 
>   
>> 479 bytes per second
>> May 15 13:54:56 localhost MailScanner[30916]: Saved entire message to 
>> /var/spool/MailScanner/quarantine/20070515/096EAC42EE.ABDA7
>> May 15 13:54:56 localhost MailScanner[30916]: Viruses marked as silent: 
>> Denial of Service attack in message!
>> May 15 13:54:5
>>
>>
>> The mails are legitimate and it doesn't look like there is anything 
>>     
> fishy 
>   
>> about them.
>>
>>
>> The server is not experiencing a very heavy load the problem comes up a 
>> few minutes after the server is started.
>> I've got a second machine running an older version of Mailscanner (
>> 4.55.10-3), which is also experiencing clamav time outs, but not marking 
>>     
>
>   
>> those mails as Viruses.
>> Is there any option I can set to still deliver these mails?
>>
>> OS: Debian Sarge
>> Mailscanner Version is 4.57.6-1
>> Clamav Version is: 0.90.2-1+b1
>>
>> Regards
>>
>> Norbert
>>     
>
>
> * Norbert Schmidt <norbert.schmidt at interactivedata.com>
> * Issuer: IS.Teledata AG - Unverified
>   

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
Charset: ISO-8859-1

wj8DBQFGSyPYEfZZRxQVtlQRAuFZAKCrNhkByT2P0zFLPQFxooqYrjcfUgCdFOH5
8jB9PXuEBu+LVmTcv1MekUo=
=JxFr
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list