[Mimedefang] Huge messages causing "try again later"

[jbird at micron.com]

It is possible that these messages contain a de-compression bomb (a
small zip that de-compresses to a huge file) that was mentioned on the
list a week or so ago.

John

-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of
Michael Sims
Sent: Wed, 25 Feb, 2004 12:55
To: mimedefang at lists.roaringpenguin.com
Subject: RE: [Mimedefang] Huge messages causing "try again later"


Paul Whittney wrote:
> I noticed you've got my "experimental code" for the novarg virus in 
> there
[...]
> I have a sinking suspicion that it could be causing an additional 
> delay if you have large zip files going past your system.
>
> Try taking that code out, and see if you have any problems.

Or just add a size check to that block of code, changing

if (lc($ext) =~ /zip/) {

to

if (lc($ext) =~ /zip/ && -s './INPUTMSG' <= 100*1024) {

MyDoom isn't going to be bigger than 30KB anyway...

> Also, you could put md_syslog lines in there, so you would see when 
> that code started to execute, and when it ended, perhaps giving an 
> indication on how long the filter worked on the file.

An easier way to see how long the filter ran is to check the delay=
equate that sendmail logs on the same line with the recipient status.
For example:

Feb 18 10:55:47 mx sendmail[15980]: i1IGqapX015980:
to=<user at example.com>, delay=00:03:10, pri=4723633, stat=Please try
again later

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang
mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang