The problem with this is how clamd scans nested mime messages. If fed a deeply recursive message it takes an huge amount of RAM to process. It appears that some later CVS snapshot handle this better than .70rc does and so I'm be upgrading to one of them shortly. However, even under the snapshots, clamd still uses alot of RAM (several 100 MBs.) If more than a few of these hit a busy server, even a well sized busy server, that server is history. There are some hackish methods around this like putting ulimits on clamd or using out of band monitoring to kill it when it gets too big. However, I think clamd would bennefit from two additional features.
1) Enable Excessive Mime Recursion detection. If is more than a what, 20 deep, it's not legit. (These loops I'm seeing go upwards of 4000 parts.) 2) Enable Configurable Memory cap to prevent DoS'ing the local box. Hopefully as graceful as possible. Perhaps could be configured to fail hard or soft. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax) http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-devel
