I've got a smtp (exim) server featuring mail scanning through AmaVis+ScannerDaemon.
Because of possible dos attacks I would like AmaVis to give up scanning of compressed files exceding a certain size.
For my tests I rarred a 2gb file containing just a long array of "A".
The resulting .rar file is approx 335kb.
The decompression/scanning process of this rar takes about 15-20 mins (on my athlon 1.2GB linux server) and fills up 2gb hdd space.
It would be easy for a possible attacker to send enough compressed files to fill up resources/disk space to trash a server even from a relatively slow connection.
Do you have some hints on how to implement a workaround?
Have you actually checked how amavisd 20020300,
amavis-0.3.12pre7, and amavis-ng handle such files?
Yes, but I'm not sure what you mean...
I've only found these configure options:
And none of them seems to fit my needs.
(This f***ing forum doesn't let me post under the same subject!)
You're right - this is exactly the situation not covered.
The contrib area of our web site has a limit-resources patch
for an older amavisd snapshot that you might be able to utilise.
You could also try amavis-ng.