Re: Anti Virus Mailscanners DOS

[Lars Hecking <lhecking () nmrc ie>]

> I know one commercial mail-virus-scanner, that has a "maximum compression ratio" parameter.
> If any archive has higher compression ratio that e.g. 1:5, it stops unpacking process.
 
 The current snapshot release of amavisd *1 has three different mechanisms
 to escape such a mailbomb scenario:

 - a configurable compression rate like the one you describe above
 - a configurable limit for the total number of extracted files
 - a configurable limit for the nexting level of archives (any compression
   format that amavis supports)

 Of course, all this is no help with the scenario originally posted, one
 single, highly compressed file, and the code is commented accordingly.

> I agree that "simple" unzip, bunzip2 programs that are used with mail scanners
> could block your partition. It seems that it is better to check messages on the fly, in memory.
 
 [Sophos sweep does it this way, neatly.]

 But in general, you cannot rely on the virus scanner. Most command line
 scanners don't know MIME at all.

 Secondly, if you take e.g. the previously mentioned 42.zip and compress it
 in a format your virus scanner does not understand, even the most cunning
 .zip extraction routine won't help.

 The german computer magazin iX *2 was recently *3 testing commercial
 antivirus products for email environments with a permutation of
 MIME/base64/uu encoded files containing different types of archives,
 and many scanners just couldn't deal with it. Some don't know what
 to do with base64/uu, while others lack support for common compression
 formats. (Translated) Quote: "Out of 1245 infected test emails, $PRODUCT
 only allowed 463 through, not a bad rate." No comment.

 Unfortunatley, DoS attacks were only covered briefly, but other weaknesses
 were exposed (SMTP based mail gateway acting as open relay etc.)

 *1 http://www.amavis.org/contrib/
 *2 http://www.heise.de/ix/
 *3 iX 02/2002, not available online