Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#4395 local DoS with clamscan and spamassassin

All
open
nobody
5
2014-04-04
2014-03-21
Martin Korous
No

In default instalation of virtualmin is not used deamonized clamav and spamassassin. Its dangerous, local user can do local DoS with sending only one email but with few or many (depended on size of RAM) local recipients in cc or bcc headers.

Commands clamscan and spamassasin are slower than client`s commands for server and need much more memory. Behavior of this local DoS is OUT OF MEMORY in few seconds (concurrent running of many clamscan and spamassassin).

I have read bug 1632, but i think that default settings will be better without possibility of DoS. Please change default settings to use clamdscan and spamc.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2014-03-22

    The post-install wizard in Cloudmin already offers the admin the option to run a daemonized clamd / spamd, if they wish. And this is enabled by default in the wizard if the system has enough RAM.

     
  • Martin Korous
    Martin Korous
    2014-04-03

    Post-Installation Wizard
    ...
    To continue, click the Next button below. To skip it and use the default settings, click Cancel.
    Default settings is:

    root@vmintest:/etc/webmin/virtual-server# egrep "clamscan|spamassassin" config
    clamscan_cmd=clamscan
    spam_client=spamassassin

    In post wizard is:
    Run ClamAV server scanner?
    Yes (more RAM used, faster mail processing - approximately 100M)
    No (less RAM used, slower mail processing)

    Less RAM used is only if no email is processing currently. But if clamscan is processing more email in one time (its possible with bigger mail traffic or cc or bcc headers) much more RAM is used.

    You can close this ticket, I dont have more information.

     
  • Jamie Cameron
    Jamie Cameron
    2014-04-04

    My mistake, the wizard will default to not running clamd regardless of the memory you have available. You have to enable it manually.