clamd DoS?

Hugo van der Kooij hvdkooij at
Mon Sep 15 21:41:59 IST 2008

Hash: SHA1

Kevin Miller wrote:
> Julian Field wrote:
>> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
>> Immediately after them, add a line saying
>>     exit;
>> and it will stop straight after the attachment unpacking.
>> Then you can go into /var/spool/MailScanner/incoming, find the
>> relevant directory and see what attachments it pulled out.
>> Then try clamscan-ing them by hand. If the attachments look okay in
>> that directory, then it's a clamd issue I think. I would be
>> interested to see what clamscan makes of them when run by hand.
> I was seeing a number of spam messages coming in w/the subject "Credit
> card transaction report".  Every now and then one would get tagged as a
> virus, but most weren't.  However, I went into MailWatch, selected one
> that wasn't marked as viral and saved the attached to my
> linux workstation.  Ark extracted the file report.doc.exe.  I kicked off
> top in a term window, opened another terminal and ran 'clamscan
> report.doc.exe'.  W/in a couple seconds CPU utilization was pegged.

So if you can do this on a plain file with just ClamAV as a factor I
would think you have all the stuff that is needed to report a bug with
the ClamAV team.

If that is the case would you be kind enough to report the bug to the
ClamAV team?


- --
hvdkooij at     

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on and rate those images.

Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the MailScanner mailing list