MailScanner marks messages as DOS attact

Chris Stone axisml at gmail.com
Tue Mar 25 17:15:41 GMT 2014 

I had a similar issue on a server build on CentOS 6 and the latest
MailScanner. Never have found specific messages that cause the problem, but
typically 5-6 times a week, I'd get an alert from our Nagios installation
stating that there were zombie processes on the filtering server. I'd go
look and see MailScanner processing, crashing and looping on messages -
after 6 loops through, putting in the quarantine tagged as DoS message.

So, I tried disabling the Processing Attempts Database by setting:

Maximum Processing Attempts = 0

in MailScanner.conf. I no longer am seeing *any* problem - the crashes have
stopped, the looping has stopped (as expected with disabling), no messages
marked as DoS sources and none quarantined as a result. All appears to be
fine.

So, it kind of looks like something with the Processing Attempts Database
code - although I do use that on a number of other CentOS 4 and CentOS 5
servers without issue.


Chris



On Sat, Mar 22, 2014 at 11:52 AM, Mark Sapiro <mark at msapiro.net> wrote:

> On 03/22/2014 10:12 AM, simon at kmun.gov.kw wrote:
> >
> > after more investigation i realized the following..
> >
> > many of the users have subscribed to google groups ..
> > now when a email is received from a user who belongs to the same group as
> > our users belong maybe about 15 to 20 messages are marked clean ..
> > subsequent messages are being marked with RED and the details page shows
> > denial of service attack.
> > Also the System becomes very slow as MailScanner consumes the entire CPU
> > and also the outgoin email takes long time to reach the recipent.
> >
> > it remains in the incomming queue for a long time.. maybe 10 to 15 min at
> > times
>
>
> I'm not sure what the underlying issue is in this case, but looking at
> the code I think that the DOS attack is raised when one of your virus
> scanners times out on a message. You might try looking at logs to see if
> you can determine why this happens.
>
> As a workaround, you could establish a "Virus Scanning" ruleset to skip
> virus scanning for these messages. See
> <http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning
> >.
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
Chris Stone
AxisInternet, Inc.
www.axint.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140325/d6066bd7/attachment.html

More information about the MailScanner mailing list