clamd DoS?

[Kevin Miller]

Julian Field wrote:

> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
> Immediately after them, add a line saying
>     exit;
> and it will stop straight after the attachment unpacking.
> Then you can go into /var/spool/MailScanner/incoming, find the
> relevant directory and see what attachments it pulled out.
> Then try clamscan-ing them by hand. If the attachments look okay in
> that directory, then it's a clamd issue I think. I would be
> interested to see what clamscan makes of them when run by hand.

I was seeing a number of spam messages coming in w/the subject "Credit
card transaction report".  Every now and then one would get tagged as a
virus, but most weren't.  However, I went into MailWatch, selected one
that wasn't marked as viral and saved the attached Report.zip to my
linux workstation.  Ark extracted the file report.doc.exe.  I kicked off
top in a term window, opened another terminal and ran 'clamscan
report.doc.exe'.  W/in a couple seconds CPU utilization was pegged.

I'm running plain old clamav, not clamscan or clamd.

Not much to go on, but maybe this will help a bit...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500