Hi there,
postfix author suggested me to post here following issue :
we received a spam that bypassed all controls and consisted of a huge
header (4M) , repeating these four lines 31.000 times (chaning only
the Reply-To):
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Magaly <verano@xxxxxxxx>
Reply-To: fdsafdsafdsa@xxxxxx
It resulted in a denial-of-service in 10 Imap servers , eating up all
CPU and rendering them unusable. We solved it by stopping imapd,
identifying the message in the file system, delete it and reconstruct
the accounts. Whenever one imapd hit one of this message from our
webmail , it gets "poisoned" and consumes lots of CPU. Each of my imap
servers hold 5K to 25K users.
The servers run versions of cyrus-imapd ranging from 2.3.7 under
CentOS ( v2.3.7-Invoca-RPM-2.3.7-2.el5 ) , to FreeBSD-6-stable and
FreeBSD-7-stable compiled from ports (2.3.6,. 2.3.7 and 2.3.13).
Is there anything that could be done from cyrus imapd side to avoid
such CPU consumption ? do you need more information , like an imap
activity log ?
Thanks in advance,
Carlos
---------- Forwarded message ----------
From: Wietse Venema <wietse@xxxxxxxxxxxxx>
Date: Fri, Feb 6, 2009 at 12:02 AM
Subject: Re: Huge header detection
To: Postfix users <postfix-users@xxxxxxxxxxx>
Carlos Horowicz:
> Hello list,
>
> I recently found out an unsolicited e-mail that caused high CPU
> consumption by cyrus imap on different mailstores.
> The poisoned e-mail has a structure of over 31.000 repetiions of these
> 4 lines in the header
>
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: Magaly <verano@xxxxxxxx>
> Reply-To: fdsafdsafdsa@xxxxxx
>
> The header lines are a bit less than 4 Megabytes.
>
> I'm running postfix 2.4.5 as MX for the domain that received this
> spam, and the only configuration line that seems to do some check
> regarding the header size is in main.cf.default:
>
> header_size_limit = 102400
This limits one header line, not the total number of bytes of
all headers combined.
> Is there a way in postfix configuration to control the header size or
> the max number of lines the header has ?
> or do I need to write a content-filter ?
Yes. Postfix makes no byte counts available in header_checks
or body_checks.
Meanwhile, you may want to ask cyrus imap people to make their
software more robust against large amounts of header text.
Wietse
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
