clamd DoS?
Julian Field
MailScanner at ecs.soton.ac.uk
Mon Sep 15 21:47:00 IST 2008
Kevin Miller wrote:
> Julian Field wrote:
>
>
>> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
>> Immediately after them, add a line saying
>> exit;
>> and it will stop straight after the attachment unpacking.
>> Then you can go into /var/spool/MailScanner/incoming, find the
>> relevant directory and see what attachments it pulled out.
>> Then try clamscan-ing them by hand. If the attachments look okay in
>> that directory, then it's a clamd issue I think. I would be
>> interested to see what clamscan makes of them when run by hand.
>>
>
> I was seeing a number of spam messages coming in w/the subject "Credit
> card transaction report". Every now and then one would get tagged as a
> virus, but most weren't. However, I went into MailWatch, selected one
> that wasn't marked as viral and saved the attached Report.zip to my
> linux workstation. Ark extracted the file report.doc.exe. I kicked off
> top in a term window, opened another terminal and ran 'clamscan
> report.doc.exe'. W/in a couple seconds CPU utilization was pegged.
>
> I'm running plain old clamav, not clamscan or clamd.
>
> Not much to go on, but maybe this will help a bit...
>
Ooh, can you post this on the web somewhere and tell me the URL so I can
fetch this file and construct a message round it for testing?
Thanks.
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list