[Mimedefang] clamd memory leak?

Jeffrey Goldberg jeffrey at goldmark.org
Fri Apr 16 16:33:36 EDT 2004 

On Fri, 16 Apr 2004, Les Mikesell wrote:

> On Fri, 2004-04-16 at 01:00, Jeffrey Goldberg wrote:

> I don't want to repeat the condition to test again, but I am
> pretty sure that clamd leaked memory.  It did not crash
> immediately on the first attempts to forward these messages
> but after some (dozens?) of attempts it would take all
> of the machine's RAM and eventually swap.  Restarting
> clamd would clear it up.  It may be related to the
> outlook winmail.dat encoding of a zip file as well as
> the size.  Maybe it wouldn't happen with normal MIME.
> I think if clamd just died at a certain memory consumption
> level, mimedefang would have handled things correctly and
> there might be a way to arrange that.

I does sound like a leak.   Other than saying your suspicion sounds
reasonable to me, I can't offer any help.  There is a clamav mailing list.

> > I should note that the example/default mimedefang-filter has
> > a condition on it to not run spamassassin on very large messages.  It
> > might be safe to do the same with virus scanning.  A worm so large that
> > most mail hubs would reject on size is not really going to propogate very
> > far.
>
> I think that would just beg the virus writers to exploit the
> hole.

If, say, you set things up to not scan files of more than 30MB, things
would be safe.  Virus writers would could make their vectors more than
30BM to get through that hole, but a virus transmitted by email via a
message that is larger than 30MB just isn't going to propogate.


> > > > Use ftp for larger messages.

> You make this sound easy when in fact you are talking about huge
> security issues. [...] How do you suggest moving a big file that should
> be confidential between two users that don't have write access to a
> server or a password in common?

Hmm.  You are right.  ftp and http are designed for  "one to many"
distribution, while email is designed with one to one in mind.

There are, of course, solutions.  But they require changes in habits that
amount to serious (prohibitive) inconvenience.  If users were infinitely
educable I would suggest

   (a) Everyone have easy web publishing ability.
   (b) PGP encryption of uploaded files with intended recipient's public
       key

So if you wanted to send me something large, you would encrypt it with my
public key, upload it to your public web space and email me the URL.

But getting people to work that way isn't going to happen any time soon.
So yes.  Unfortunately there does remain a role for email for large file
transfers.

-j

-- 
Jeffrey Goldberg                            http://www.goldmark.org/jeff/
 Relativism is the triumph of authority over truth, convention over justice
 Hate spam?  Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/

More information about the MIMEDefang mailing list