clamd DoS?

Tue Sep 16 13:22:41 IST 2008

Yeah - another virus scanner in the list - Sophos is blocking these nicely in concert with MS.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of Alex Broens
> Sent: 16 September 2008 12:42
> To: MailScanner discussion
> Subject: Re: clamd DoS?
>
> On 9/16/2008 12:59 PM, Raymond Dijkxhoorn wrote:
> > Hi!
> >
> >>> I was seeing a number of spam messages coming in w/the subject
> >>> "Credit card transaction report".  Every now and then one
> would get
> >>> tagged as a virus, but most weren't.  However, I went into
> >>> MailWatch, selected one that wasn't marked as viral and saved the
> >>> attached Report.zip to my linux workstation.  Ark
> extracted the file
> >>> report.doc.exe.  I kicked off top in a term window,
> opened another
> >>> terminal and ran 'clamscan report.doc.exe'.  W/in a
> couple seconds CPU utilization was pegged.
> >>>
> >>> I'm running plain old clamav, not clamscan or clamd.
> >>>
> >>> Not much to go on, but maybe this will help a bit...
> >
> >> Ooh, can you post this on the web somewhere and tell me
> the URL so I
> >> can fetch this file and construct a message round it for testing?
> >
> > The guys @ ClamAV are also looking into this (Thanks Luca!)
>
> Luca rocks! (tell him this :-)
>
> Today I saw more floods of randomly detected/bypassed MS and
> AV scanners
>   cases.
>
> good thing there are other ways to catch & block or kill them :-)
>
> Alex
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>

**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**********************************************************************