[Mimedefang] Huge messages causing "try again later"
jbird at micron.com
jbird at micron.com
Thu Feb 26 14:10:46 EST 2004
It is possible that these messages contain a de-compression bomb (a
small zip that de-compresses to a huge file) that was mentioned on the
list a week or so ago.
John
-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of
Michael Sims
Sent: Wed, 25 Feb, 2004 12:55
To: mimedefang at lists.roaringpenguin.com
Subject: RE: [Mimedefang] Huge messages causing "try again later"
Paul Whittney wrote:
> I noticed you've got my "experimental code" for the novarg virus in
> there
[...]
> I have a sinking suspicion that it could be causing an additional
> delay if you have large zip files going past your system.
>
> Try taking that code out, and see if you have any problems.
Or just add a size check to that block of code, changing
if (lc($ext) =~ /zip/) {
to
if (lc($ext) =~ /zip/ && -s './INPUTMSG' <= 100*1024) {
MyDoom isn't going to be bigger than 30KB anyway...
> Also, you could put md_syslog lines in there, so you would see when
> that code started to execute, and when it ended, perhaps giving an
> indication on how long the filter worked on the file.
An easier way to see how long the filter ran is to check the delay=
equate that sendmail logs on the same line with the recipient status.
For example:
Feb 18 10:55:47 mx sendmail[15980]: i1IGqapX015980:
to=<user at example.com>, delay=00:03:10, pri=4723633, stat=Please try
again later
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang
mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list