Fwd: Huge header detection

Fri Feb 6 22:38:43 EST 2009

Hi
the problem shows up no matter what client you use ... process name is imapd.
Carlos

On Fri, Feb 6, 2009 at 6:24 PM, Blake Hudson <blake at ispn.net> wrote:
>
> -------- Original Message  --------
> Subject: Fwd: Huge header detection
> From: Carlos Horowicz <carlos.horowicz at gmail.com>
> To: info-cyrus at lists.andrew.cmu.edu
> Date: Friday, February 06, 2009 12:34:39 PM
>> Hi there,
>>
>> postfix author suggested me to post here following issue :
>>
>> we received a spam that bypassed all controls and consisted of a huge
>> header (4M) , repeating these four lines 31.000 times (chaning only
>> the Reply-To):
>>
>> MIME-Version: 1.0
>> Content-type: text/html; charset=iso-8859-1
>> From: Magaly <verano at club.com>
>> Reply-To: fdsafdsafdsa at xxxxxx
>>
>> It resulted in a denial-of-service in 10 Imap servers , eating up all
>> CPU and rendering them unusable. We solved it by stopping imapd,
>> identifying the message in the file system, delete it and reconstruct
>> the accounts. Whenever one imapd hit one of this message from our
>> webmail , it gets "poisoned" and consumes lots of CPU. Each of my imap
>> servers hold 5K to 25K users.
>>
>> The servers run versions of cyrus-imapd ranging from 2.3.7 under
>> CentOS ( v2.3.7-Invoca-RPM-2.3.7-2.el5 ) , to FreeBSD-6-stable and
>> FreeBSD-7-stable compiled from ports (2.3.6,. 2.3.7 and 2.3.13).
>>
>> Is there anything that could be done from cyrus imapd side to avoid
>> such CPU consumption ? do you need more information , like an imap
>> activity log ?
>>
>> Thanks in advance,
>>
>> Carlos
>>
>>
>
> What was the name of the process that was consuming CPU? Did this pose a
> problem for all IMAP clients, or just the webmail?
>
> --Blake
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>