Limiting scans by uncompressed file size

aCaB
2002-05-16
2002-05-31
  • aCaB
    aCaB
    2002-05-16

    I've got a smtp (exim) server featuring mail scanning through AmaVis+ScannerDaemon.
    Because of possible dos attacks I would like AmaVis to give up scanning of compressed files exceding a certain size.
    For my tests I rarred a 2gb file containing just a long array of "A".
    The resulting .rar file is approx 335kb.
    The decompression/scanning process of this rar takes about 15-20 mins (on my athlon 1.2GB linux server) and fills up 2gb hdd space.
    It would be easy for a possible attacker to send enough compressed files to fill up resources/disk space to trash a server even from a relatively slow connection.

    Do you have some hints on how to implement a workaround?
    Thanks,
    aCaB 

     
    • Lars Hecking
      Lars Hecking
      2002-05-17

      Have you actually checked how amavisd 20020300,
      amavis-0.3.12pre7, and amavis-ng handle such files?

       
    • aCaB
      aCaB
      2002-05-20

      Yes, but I'm not sure what you mean...
      I've only found these configure options:
      --with-maxlevel=VALUE
      --with-maxdepth=VALUE
      --with-maxfiles=VALUE
      And none of them seems to fit my needs.
      Thanks

       
    • Lars Hecking
      Lars Hecking
      2002-05-31

      (This f***ing forum doesn't let me post under the same subject!)

      You're right - this is exactly the situation not covered.

      The contrib area of our web site has a limit-resources patch
      for an older amavisd snapshot that you might be able to utilise.
      You could also try amavis-ng.