[Avcheck] DrWeb and 42.zip
Sergey Akhapkin
Sergey Akhapkin <asv@drweb.ru>
Wed, 13 Feb 2002 10:48:53 +0300
Hello Martin,
Wednesday, February 13, 2002, 1:21:31 AM, you wrote:
MJ> I've set up a box with avcheck 0.7 and DrWeb. Works fine so far.
MJ> During testing, I send a mail with 42.zip. DrWeb scans the mail, but then
MJ> terminate with a Timeout Error after the 900 secs I set after the
MJ> readme.drweb.
MJ> The mail isn't bounced, it is still in the queue with:
MJ> temporary failure. Command output: avcheck: unexpected DrWeb return code
MJ> 16896 (0x4200) )
MJ> How do you configure your system to handle a DoS with 42.zip ?
It's very interesting question - how to defense against "mailbombs" ?
The drwebd has two parameters (in drweb32.ini):
MaxCompressionRatio - it's ratio of real size of file to compressed
size, then file has been skipped to check if overrun this ratio.
MaxFileSizeToExtract - it's max size (in Kb) of file that should be
extracted by daemon from any archives (mean skipped to check).
If a file in archive violate one of this rule then file skipped (not
checked) and appropriate flags sets in answer to daemon client (i.e.
avcheck). Any filter can ignore this flags and pass such mail with not
checked objects or reject mail. I believe, Micheal you can make
configurable action on such events (our integration client do it, you
always can ask me about more details of returned flags).
But it's not enough to perfect detection of mailbombs, any legal
archives can overrun MaxCompressionRatio. So you we work under this
problem.
--
Best regards,
Sergey mailto:asv@drweb.ru