Fwd: Huge header detection

Carlos Horowicz carlos.horowicz at gmail.com
Fri Feb 6 13:34:39 EST 2009 

Hi there,

postfix author suggested me to post here following issue :

we received a spam that bypassed all controls and consisted of a huge
header (4M) , repeating these four lines 31.000 times (chaning only
the Reply-To):

MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Magaly <verano at club.com>
Reply-To: fdsafdsafdsa at xxxxxx

It resulted in a denial-of-service in 10 Imap servers , eating up all
CPU and rendering them unusable. We solved it by stopping imapd,
identifying the message in the file system, delete it and reconstruct
the accounts. Whenever one imapd hit one of this message from our
webmail , it gets "poisoned" and consumes lots of CPU. Each of my imap
servers hold 5K to 25K users.

The servers run versions of cyrus-imapd ranging from 2.3.7 under
CentOS ( v2.3.7-Invoca-RPM-2.3.7-2.el5 ) , to FreeBSD-6-stable and
FreeBSD-7-stable compiled from ports (2.3.6,. 2.3.7 and 2.3.13).

Is there anything that could be done from cyrus imapd side to avoid
such CPU consumption ? do you need more information , like an imap
activity log ?

Thanks in advance,

Carlos


---------- Forwarded message ----------
From: Wietse Venema <wietse at porcupine.org>
Date: Fri, Feb 6, 2009 at 12:02 AM
Subject: Re: Huge header detection
To: Postfix users <postfix-users at postfix.org>


Carlos Horowicz:
> Hello list,
>
> I recently found out an unsolicited e-mail that caused high CPU
> consumption by cyrus imap on different mailstores.
> The poisoned e-mail has a structure of over 31.000 repetiions of these
> 4 lines in the header
>
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: Magaly <verano at club.com>
> Reply-To: fdsafdsafdsa at xxxxxx
>
> The header lines are a bit less than 4 Megabytes.
>
> I'm running postfix 2.4.5 as MX for the domain that received this
> spam, and the only configuration line that seems to do some check
> regarding the header size is in main.cf.default:
>
> header_size_limit = 102400

This limits one header line, not the total number of bytes of
all headers combined.

> Is there a way in postfix configuration to control the header size or
> the max number of lines the header has ?
> or do I need to write a content-filter ?

Yes. Postfix makes no byte counts available in header_checks
or body_checks.

Meanwhile, you may want to ask cyrus imap people to make their
software more robust against large amounts of header text.

      Wietse

More information about the Info-cyrus mailing list