Bug 126792 - Excessive resource consumption is potential denial of service
Summary: Excessive resource consumption is potential denial of service
Alias: None
Product: Fedora
Classification: Fedora
Component: spamassassin (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Chip Turner
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-26 21:42 UTC by Ralph Loader
Modified: 2007-11-30 22:10 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-28 06:37:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Email message that caused the problem (6.00 KB, text/plain)
2004-06-26 23:59 UTC, Ralph Loader
no flags Details

Description Ralph Loader 2004-06-26 21:42:24 UTC
spamassassin occassionally takes several minutes of CPU time to
process a message:

Jun 27 09:06:40 localhost spamd[29375]: checking message
<2D11BC10-C74A-11D8-BE07-000A95C4B3A0@inf.ed.ac.uk> for ralph:500.
Jun 27 09:09:23 localhost spamd[29375]: clean message (-4.9/5.0) for
ralph:500 in 163.4 seconds, 6070 bytes.
Jun 27 09:09:23 localhost spamd[29375]: result: . -4 -

I verified using top etc that spamassassin was taking 100% CPU.  The
message is a perfectly innocuous plain text conference announcement
from a mailing list.

I have seen this on a number of occassions.

933 MHz P3 - not the latest and greatest, but not entirely obsolete. 
Downloading email via pop3 and evolution.

As far as I can see, this is potentially exploitable by an attacker
who wishes to make spamassassin useless.  10 messages a day at a few
minutes each would be a major pain in the butt.  A few hundred
messages a day  at a few minutes CPU each would make it physically
impossible to use spamassassin.

I have the message and a copy of my .spamassassin directory if required.

PS.  Even "normal" spamassassin performance - a few seconds per
message - and a shitload of memory - is worth a grumble.

Comment 1 Warren Togami 2004-06-26 23:43:47 UTC
Please attach the message to this report.

Comment 2 Ralph Loader 2004-06-26 23:59:32 UTC
Created attachment 101448 [details]
Email message that caused the problem

Comment 3 Justin Mason 2004-06-27 09:45:09 UTC
I'd like to see the output from "spamassassin -D -t < temp.txt"; it
completes in 5 seconds (with network tests from a "cold" dns cache)
for me....

Comment 4 Ralph Loader 2004-06-28 04:46:25 UTC
Just tried "time spamassassin -t < temp.txt":

real    0m19.323s
user    0m3.347s
sys     0m0.255s

DNS look-ups took a while but CPU consumption is OK.

So it looks like something other than the message contents triggered
the CPU usage.

Is there any spamassassin logging I can turn on permanently to try and
track this down?

Comment 5 Justin Mason 2004-06-28 06:13:15 UTC
yes, the "-D" switch turns on debugs.  they're voluminous but will
track down the problem, most likely.  that would definitely be worthwhile.

BTW, I think it may have been a Bayes expiration run; periodically,
it'll expire unused tokens from the Bayes dbs to keep down db size. 
this should happen pretty infrequently, but somewhere between once a
day and once a week I'd guess.  that can take a minute or two to complete.

Comment 6 Ralph Loader 2004-06-28 06:37:01 UTC
Ok, the expiration run explains the behaviour I'm seeing.

Note You need to log in before you can comment on or make changes to this bug.