Fwd: Huge header detection

Blake Hudson blake at ispn.net
Fri Feb 6 15:24:32 EST 2009


-------- Original Message  --------
Subject: Fwd: Huge header detection
From: Carlos Horowicz <carlos.horowicz at gmail.com>
To: info-cyrus at lists.andrew.cmu.edu
Date: Friday, February 06, 2009 12:34:39 PM
> Hi there,
>
> postfix author suggested me to post here following issue :
>
> we received a spam that bypassed all controls and consisted of a huge
> header (4M) , repeating these four lines 31.000 times (chaning only
> the Reply-To):
>
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: Magaly <verano at club.com>
> Reply-To: fdsafdsafdsa at xxxxxx
>
> It resulted in a denial-of-service in 10 Imap servers , eating up all
> CPU and rendering them unusable. We solved it by stopping imapd,
> identifying the message in the file system, delete it and reconstruct
> the accounts. Whenever one imapd hit one of this message from our
> webmail , it gets "poisoned" and consumes lots of CPU. Each of my imap
> servers hold 5K to 25K users.
>
> The servers run versions of cyrus-imapd ranging from 2.3.7 under
> CentOS ( v2.3.7-Invoca-RPM-2.3.7-2.el5 ) , to FreeBSD-6-stable and
> FreeBSD-7-stable compiled from ports (2.3.6,. 2.3.7 and 2.3.13).
>
> Is there anything that could be done from cyrus imapd side to avoid
> such CPU consumption ? do you need more information , like an imap
> activity log ?
>
> Thanks in advance,
>
> Carlos
>
>   

What was the name of the process that was consuming CPU? Did this pose a
problem for all IMAP clients, or just the webmail?

--Blake


More information about the Info-cyrus mailing list