#4395 local DoS with clamscan and spamassassin


In default instalation of virtualmin is not used deamonized clamav and spamassassin. Its dangerous, local user can do local DoS with sending only one email but with few or many (depended on size of RAM) local recipients in cc or bcc headers.

Commands clamscan and spamassasin are slower than client`s commands for server and need much more memory. Behavior of this local DoS is OUT OF MEMORY in few seconds (concurrent running of many clamscan and spamassassin).

I have read bug 1632, but i think that default settings will be better without possibility of DoS. Please change default settings to use clamdscan and spamc.


  • Jamie Cameron

    Jamie Cameron - 2014-03-22

    The post-install wizard in Cloudmin already offers the admin the option to run a daemonized clamd / spamd, if they wish. And this is enabled by default in the wizard if the system has enough RAM.

  • Martin Korous

    Martin Korous - 2014-04-03

    Post-Installation Wizard
    To continue, click the Next button below. To skip it and use the default settings, click Cancel.
    Default settings is:

    root@vmintest:/etc/webmin/virtual-server# egrep "clamscan|spamassassin" config

    In post wizard is:
    Run ClamAV server scanner?
    Yes (more RAM used, faster mail processing - approximately 100M)
    No (less RAM used, slower mail processing)

    Less RAM used is only if no email is processing currently. But if clamscan is processing more email in one time (its possible with bigger mail traffic or cc or bcc headers) much more RAM is used.

    You can close this ticket, I dont have more information.

  • Jamie Cameron

    Jamie Cameron - 2014-04-04

    My mistake, the wizard will default to not running clamd regardless of the memory you have available. You have to enable it manually.


Log in to post a comment.