clamd DoS?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Sep 15 21:47:00 IST 2008



Kevin Miller wrote:
> Julian Field wrote:
>
>   
>> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
>> Immediately after them, add a line saying
>>     exit;
>> and it will stop straight after the attachment unpacking.
>> Then you can go into /var/spool/MailScanner/incoming, find the
>> relevant directory and see what attachments it pulled out.
>> Then try clamscan-ing them by hand. If the attachments look okay in
>> that directory, then it's a clamd issue I think. I would be
>> interested to see what clamscan makes of them when run by hand.
>>     
>
> I was seeing a number of spam messages coming in w/the subject "Credit
> card transaction report".  Every now and then one would get tagged as a
> virus, but most weren't.  However, I went into MailWatch, selected one
> that wasn't marked as viral and saved the attached Report.zip to my
> linux workstation.  Ark extracted the file report.doc.exe.  I kicked off
> top in a term window, opened another terminal and ran 'clamscan
> report.doc.exe'.  W/in a couple seconds CPU utilization was pegged.
>
> I'm running plain old clamav, not clamscan or clamd.
>
> Not much to go on, but maybe this will help a bit...
>   
Ooh, can you post this on the web somewhere and tell me the URL so I can 
fetch this file and construct a message round it for testing?

Thanks.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list