[Avcheck] Re: [AMaViS-user] Mailbombs and the like: what can we do?

ricspam@mpc.com.br ricspam@mpc.com.br" <ricspam@mpc.com.br
Tue, 21 Aug 2001 08:43:44 -0300 (ADT) 

On Mon, 20 Aug 2001 12:03:12 -0700, Lars Hecking
<lhecking@users.sourceforge.net> wrote:

> I have added something like this into amavis-cvs on July 16. The code
> checks whether the ratio of [files at current decompression level] and
> [files at previous decompression level] exceeds a given treshold (magic
> number alert) twice. 
  [...]
> Ricardo Ferreira has contributed a patch which uses a different method
> (actually checks disk space and sets resource limits), 
  [...]
> My code is tested against 42.zip (as one, special case), and I imagine
> Ricardo's is, too.

Yes, among others (some "not-mailbombs"). :-)

I have made that patch because:

1: We already got a message (which might not trigger the
"ratio-treshold-magic" protection) that filled up all our HD space

2: We have one customer that sometimes send his entire database through
e-mail. It is a "legal" e-mail, with a zip that expands from 2Mb to
680Mb ! We already asked him to encrypt this kind of message, but other
people might sent highly compressed files just like that...

>> Well, ok, let's assume that we detected a situation
>> where some message will be over limit.  So a question:
>> what next?
  [...]
> The code in the current amavisd snapshot simply issues EX_TEMPFAIL
> and logs "Possible DoS detected - requeue". This method relies on
> admins to monitor their logs.
>
> Ricardo's code, I think, quarantines the offending mail message and
> notifies the admin.

Yes, it will notify the admin. Any one of the admins will see the
problem way before than if we needed to look at the logs.

But to quarantine it or not, it depends on the situation...

If the disk space is low, it is not a problem with the e-mail, but
perhaps a transient problem. In this case, it's requeued (and admin is
notified of the situation, of course).

If the expanded message size triggers the size limit, then it might be
a mail bomb, so why requeue? It will eat your CPU and disk space again
and again, just to trigger the same protection scheme... so it's better
to quarantine and check it.

[]'s!