[Mimedefang] Huge messages causing "try again later"

Paul Whittney pwhittney at net.bacconsulting.com
Wed Feb 25 13:37:59 EST 2004 

Lucas,

I noticed you've got my "experimental code" for the novarg virus in there

# added 2004-02-10
# Mydoom/Novarg test
if (lc($ext) =~ /zip/) {
	my $count = 0;
	my $lines = $entity->body();
	my $found = 0;
....

I have a sinking suspicion that it could be causing an additional delay
if you have large zip files going past your system.

Try taking that code out, and see if you have any problems.
Heck, I'm glad someone found the code useful, but it could be better, and Id
hate to have made a problem with it...

Heres a question for that code that I don't know the answer to:
If I use $entity->body(), is the first line going to be the base64 encoded data?
If so, then:
	while ( ($count < scalar( @$lines )) && !$found ) {
		$line =  @$lines[$count++];
		if ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) {
			$found = 1;
		}
		if ($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) {
			$found = 1;
		}
	}
Should be replaced with something like:
	if (@$lines[0] =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) {
		$found = 1;
	}
	if (@$lines[0] =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) {
		$found = 1;
	}

or even...
	$found = (@$lines[0] =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) ||
		(@$lines[0] =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/);
with the whole while loop being taken out.

Thoughts?

Also, you could put md_syslog lines in there, so you would see when that code 
started to execute, and when it ended, perhaps giving an indication on
how long the filter worked on the file.

-Paul Whittney

					
On Wed, Feb 25, 2004 at 09:53:22AM -0800, sysadmin at omsoft.com wrote:
> Here is a copy of my mimedefang-filter:
> 	http://www2.dcn.org/omsoft/mimedefang-filter.txt
> 
> iostat does't seem to think that the drive /var/spool/MIMEDefang is on is too 
> busy.
> 
> Thanks,
> 
> Lucas
> 
> On 25 Feb 2004 at 11:20, Michael Sims wrote:
> 
> > [quoting rearranged]
> >
> > > I have not changed that part of mimedefang-filter, it still does the
> > > check. Do you suggest that I add a similar check for all messages in
> > > filter_begin?
> > 
> > No.  MD should not have any problems with large messages unless your filter
> > is calling SpamAssassin on them or doing some sort of other intensive scan.
> > Personally I would never bypass MD on any message, because my filter does
> > critical things on both incoming and outgoing mail (like, for example,
> > discarding virus-generated spam with .pif attachments).  I suppose a large
> > message could cause a problem if your spool volume is on a slow drive, since
> > MD has to create a work directory and write the message to it, but if that
> > were the case I would think you would have issues constantly, with messages
> > of all sizes.  If you want to send me your filter off-list (or post a link
> > to it) I can take a quick look and see if anything jumps out...
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list