-------- Original Message -------- Subject: Fwd: Huge header detection From: Carlos Horowicz <carlos.horowicz@xxxxxxxxx> To: info-cyrus@xxxxxxxxxxxxxxxxxxxx Date: Friday, February 06, 2009 12:34:39 PM > Hi there, > > postfix author suggested me to post here following issue : > > we received a spam that bypassed all controls and consisted of a huge > header (4M) , repeating these four lines 31.000 times (chaning only > the Reply-To): > > MIME-Version: 1.0 > Content-type: text/html; charset=iso-8859-1 > From: Magaly <verano@xxxxxxxx> > Reply-To: fdsafdsafdsa@xxxxxx > > It resulted in a denial-of-service in 10 Imap servers , eating up all > CPU and rendering them unusable. We solved it by stopping imapd, > identifying the message in the file system, delete it and reconstruct > the accounts. Whenever one imapd hit one of this message from our > webmail , it gets "poisoned" and consumes lots of CPU. Each of my imap > servers hold 5K to 25K users. > > The servers run versions of cyrus-imapd ranging from 2.3.7 under > CentOS ( v2.3.7-Invoca-RPM-2.3.7-2.el5 ) , to FreeBSD-6-stable and > FreeBSD-7-stable compiled from ports (2.3.6,. 2.3.7 and 2.3.13). > > Is there anything that could be done from cyrus imapd side to avoid > such CPU consumption ? do you need more information , like an imap > activity log ? > > Thanks in advance, > > Carlos > > What was the name of the process that was consuming CPU? Did this pose a problem for all IMAP clients, or just the webmail? --Blake ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
