Denial of Service attack Messages Constantly

Sat Aug 27 01:41:55 UTC 2016

<html><head></head><body><p dir="ltr">Yes, it can.<br><br></p>
<p dir="ltr"><!-- tmjah_g_1299s -->Jerry Benton <br>
+1 844-436-6245 </p>
<p dir="ltr">Sent from <a href="http://www.bluemail.me/r">BlueMail</a><!--
tmjah_g_1299e --><br><br></p>
<div class="gmail_quote" >On Aug 24, 2016, at 10:15, Andy Southgate <<a
href="mailto:andy at z00b.com" target="_blank">andy at z00b.com</a>>
wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="blue">Would getting that wrong cause *intermittant* permissions
errors though?<br><br>The fact that 99% of the time everything works leads me
to assume that the basic permission is correct, is that assumption
wrong?<br><br>Part of the problem I'm having is my mail server is very low
throughput, I can go weeks without any error coming up and then get 10 errors
in a row, it makes it extremely difficult to iterate
changes.<br><br>-----Original Message-----<br>From: MailScanner
[mailto:mailscanner-bounces+andy=<a
href="http://z00b.com">z00b.com</a>@lists.mailscanner.info] On Behalf Of Jerry
Benton<br>Sent: 24 August 2016 15:01<br>To: MailScanner Discussion<br>Subject:
RE: Denial of Service attack Messages Constantly<br><br>Ok, as far as
permissions go â€¦ I addressed this issue in v5. The installer creates a group
called mtagroup. You MTA, virus scanners, etc should be added to this group
automatically. However, you should confirm those accounts are members of that
group. IF
you add extra virus scanners, add those system users to the
mtagroup.<br><br>Next, the â€œRun As Userâ€ is dependent on what MTA and
virus scanners you are using, but this is not as important as the next
item.<br><br><br>What is very important is that the â€œRun As Groupâ€ should
be mtagroup and the permissions should be 0660 in your config. By default this
is what ships with v5. If you changed it or used your old config, well â€¦
that is on you. By using mtagroup and 0660 nothing will have any permissions
issues.<br><br>If you need a reference to the defaults, it is
here:<br><br><br><a
href="https://github.com/MailScanner/v5/blob/master/common/etc/MailScanner/MailScanner.conf">https://github.com/MailScanner/v5/blob/master/common/etc/MailScanner/MailScanner.conf</a><br><br><br><br><br>-<br>Jerry
Benton<br><a href="http://www.mailborder.com">www.mailborder.com</a><br>+1 -
844-436-6245<br><br><br>-----Original Message-----<br>From: Andy Southgate
<andy at z00b.com><br>Reply:
MailScanner Discussion <mailscanner at lists.mailscanner.info><br>Date:
August 24, 2016 at 9:36:01 AM<br>To: MailScanner Discussion
<mailscanner at lists.mailscanner.info><br>Subject:  RE: Denial of Service
attack Messages Constantly<br><br><blockquote class="gmail_quote"
style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf;
padding-left: 1ex;"> can confirm, added that, restarted MailScanner service
and still get <br> errors<br><br> -----Original Message-----<br> From:
MailScanner <br> [mailto:mailscanner-bounces+andy=<a
href="http://z00b.com">z00b.com</a>@lists.mailscanner.info]<br> On Behalf Of
Azir GÃ¼leroglu<br> Sent: 23 August 2016 12:07<br> To: MailScanner
Discussion<br> Subject: RE: Denial of Service attack Messages
Constantly<br><br> I added this block to limits.conf but still our customers
get same errors.<br><br> Azir Guleroglu<br><br><br> -----Original
Message-----<br> From: MailScanner <br>
[mailto:mailscanner-bounces+azir.guleroglu=<a
href="http://turknet.net.tr">turknet.net.tr</a>@lists.mailsc<br> <a
href="http://anner.info">anner.info</a>]<br> On Behalf Of Jerry Benton<br>
Sent: Monday, August 22, 2016 7:51 PM<br> To: MailScanner Discussion<br>
Subject: Re: Denial of Service attack Messages Constantly<br><br> When I see
this happen it is usually related to <br> /etc/security/limits.conf<br><br>
The old MailScanner code tried to silently increase the limits. This <br>
feature has been removed. Add this to /etc/security/limits.conf to try and
resolve the issue:<br><br><br> * hard nofile 65535<br> * soft nofile 65535<br>
root hard nofile 65535<br> root soft nofile 65535<br><br><br><br><br> -<br>
Jerry Benton<br> <a
href="http://www.mailborder.com">www.mailborder.com</a><br> +1 -
844-436-6245<br><br><br> -----Original Message-----<br> From: Steven
Jardine<br> Reply: MailScanner Discussion<br> Date: August 22, 2016 at
10:29:54 AM<br> To: MailScanner Discussion<br> Subject: Re: Denial of Service
attack Messages
Constantly<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex
0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> I can confirm this
behavior....the error code that I was getting was<br> 13 which is a permission
denied error. Unfortunately, it was <br> happening too often on legitimate
mail that I had to turn off the feature.<br><br> I would really like to
determine the cause....<br><br> On 08/22/2016 08:15 AM, Andy Southgate
wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #8ae234; padding-left: 1ex;"><br> It still happens for
me, AFAIK all that was worked out was that <br> for some reason there is an
intermittant permission problem that <br> occasionally causes the spawned
child process to fail to run <br> causing that error on the message, but there
was never any insight <br> as to why that should be.<br><br>
*From:*MailScanner<br> [mailto:mailscanner-bounces+andy=<a
href="http://z00b.com">z00b.com</a>@lists.mailscanner.info]<br> *On Behalf Of
*Aaron Pursell<br> *Sent:* 22 August 2016 15:01<br> *To:*
mailscanner at lists.mailscanner.info<br> *Subject:* Re: Denial of Service attack
Messages Constantly<br><br> I read pretty much every message and tried
everything, most of <br> those messages are years old and it appears it was
fixed and now <br> in the new version is the first time I'm experiencing them
in <br> many, many years, the fixes worked originally back in a way older
versiona.<br> Nothing really changed except the fact there's this new version,
<br> too bad it only happens to legitimate messages and not spam.... So who
knows.<br> I'll continue to look, the log really never says anything
specific.<br> I<br><br> ---<br><br><br><br> Regards,<br><br> Aaron<br><br><br>
Message: 1<br> Date: Fri, 19 Aug 2016 08:26:31 -0600<br> From: Steven Jardine
> > ><br> To: MailScanner Discussion > > ><br> Subject: Re:
Denial of Service attack
Messages Constantly<br> Message-ID:
<9dbfad5c-651a-3a7f-e9c8-2c623adf51c1 at mjnservices.com<br><blockquote
class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid
#fcaf3e; padding-left: 1ex;"><br></blockquote> Content-Type: text/plain;
charset=windows-1252; format=flowed<br><br> I still haven't found a good
solution to this even after trying <br> all of the suggestions posted on the
previous threads. If turn off <br> "Dangerous Content Scanning" the error goes
away but you lose that functionality.<br><br> I have had to disable it until a
solution can be found. Its not ideal.<br><br> Good luck!<br> Steve<br><br> On
08/18/2016 04:43 PM, Mark Sapiro wrote:<br><br> On 08/18/2016 08:49 AM, Aaron
Pursell wrote:<br><br><br> The problem is, my users and I keep getting
messages like this:<br><br> "<br><br> MailScanner was attacked by a Denial Of
Service attack, and has <br> therefore deleted this part of the message.
Please contact your <br> e-mail providers for more
information if you need it, giving them <br> the whole of this report. Attack
in:<br>
/var/spool/MailScanner/incoming/12835/78C9F481B0DA.ACDF4/nmsg-12835-2.html"<br><br><br>
The path doesn't exist when you look and the message never gets <br>
delivered. What can I turn off or adjust to make sure this doesn't <br>
happen?<br><br><br> What's in the Mail log associated with this?<br><br>
There's a long thread on this with Subject: Denial Of Service <br> Attack
Messages in the archives of this list at<br><br> and<br><br> which may be
helpful.<br><br><br><br><br> IMPORTANT: This email does not constitute a
contract or an offer <br> or acceptance of an offer to enter into a contract.
Further, this <br> email may not be used to modify, supplement, novate, or
waive any <br> rights with respect to an existing contract or other binding
<br> commercial terms. MJN Services, Inc. conducts business under our <br>
service terms and conditions found at <a
href="http://www.mjnservices.com">www.mjnservices.com</a> unless <br>
otherwise agreed to in writing by an officer of MJN Services,
Inc.<br><br><br><br><hr><br><br> Message: 2<br> Date: Fri, 19 Aug 2016
09:30:29 -0500<br> From: Jerry Benton > > ><br> To: MailScanner
Discussion > > ><br> Subject: Re: Denial of Service attack Messages
Constantly<br> Message-ID:<br><blockquote class="gmail_quote" style="margin:
0pt 0pt 1ex 0.8ex; border-left: 1px solid #fcaf3e; padding-left:
1ex;"><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #e9b96e; padding-left: 1ex;"><blockquote
class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid
#ccc; padding-left: 1ex;"><br></blockquote></blockquote></blockquote>
Content-Type: text/plain; charset=UTF-8<br><br> Steve,<br><br> Can you zip the
raw source of a message (the file) that triggers <br> this and email it
directly to me?<br><br><br> -<br> Jerry Benton<br> <a
href="http://www.mailborder.com">www.mailborder.com</a><br> +1 -
844-436-6245<br><br><br> -----Original Message-----<br> From:?Steven Jardine
> > ><br> Reply:?MailScanner Discussion > > > Date:?August
19, 2016 at <br> 10:27:05 AM To:?MailScanner Discussion >
><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #fcaf3e; padding-left: 1ex;"> Subject:? Re: Denial of
Service attack Messages Constantly<br></blockquote><br> I still haven't found
a good solution to this even after trying <br> all of the suggestions posted
on the previous threads. If turn off <br> "Dangerous Content Scanning" the
error goes away but you lose that functionality.<br><br> I have had to disable
it until a solution can be found. Its not ideal.<br><br> Good luck!<br>
Steve<br><br> On 08/18/2016 04:43 PM, Mark Sapiro wrote:<br><br> On 08/18/2016
08:49 AM, Aaron Pursell wrote:<br><br><br> The problem is, my users and I keep
getting messages like
this:<br><br> "<br><br> MailScanner was attacked by a Denial Of Service
attack, and has <br> therefore deleted this part of the message. Please
contact your <br> e-mail providers for more information if you need it, giving
them <br> the whole of this report. Attack in:<br>
/var/spool/MailScanner/incoming/12835/78C9F481B0DA.ACDF4/nmsg-12835-2.html"<br><br><br>
The path doesn't exist when you look and the message never gets <br>
delivered. What can I turn off or adjust to make sure this doesn't <br>
happen?<br><br><br> What's in the Mail log associated with this?<br><br>
There's a long thread on this with Subject: Denial Of Service <br> Attack
Messages in the archives of this list at<br><br> and<br><br> which may be
helpful.<br><br><br><br><br> IMPORTANT: This email does not constitute a
contract or an offer <br> or acceptance of an offer to enter into a contract.
Further, this <br> email may not be used to modify, supplement, novate, or
waive any <br> rights with respect to an
existing contract or other binding <br> commercial terms. MJN Services, Inc.
conducts business under our <br> service terms and conditions found at <a
href="http://www.mjnservices.com">www.mjnservices.com</a> unless <br>
otherwise agreed to in writing by an officer of MJN Services,
Inc.<br><br><br><br> --<br> MailScanner mailing list<br>
mailscanner at lists.mailscanner.info<br><br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><br><br><hr><br><br>
Subject: Digest Footer<br><br><br><br> --<br> MailScanner mailing list<br>
mailscanner at lists.mailscanner.info<br><br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><br><hr><br><br>
End of MailScanner Digest, Vol 128, Issue 16<br>
********************************************<br><br><br> --<br> This message
has been scanned for viruses and dangerous content by<br> *MailScanner* , and
is
believed to be clean.</blockquote><br><br><br><br><br><br><br> IMPORTANT: This
email does not constitute a contract or an offer or <br> acceptance of an
offer to enter into a contract. Further, this email <br> may not be used to
modify, supplement, novate, or waive any rights <br> with respect to an
existing contract or other binding commercial <br> terms. MJN Services, Inc.
conducts business under our service terms <br> and conditions found at <a
href="http://www.mjnservices.com">www.mjnservices.com</a> unless otherwise
agreed <br> to in writing<br></blockquote> by an officer of MJN Services,
Inc.<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #ad7fa8; padding-left: 1ex;"><br><br><br> --<br>
MailScanner mailing list<br> mailscanner at lists.mailscanner.info<br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a></blockquote><br><br><br><br>
--<br> MailScanner mailing list<br>
mailscanner at lists.mailscanner.info<br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><br><hr><br><br>
Bu elektronik posta ve onunla iletilen bÃ¼tÃ¼n dosyalar sadece <br>
gÃ¶ndericisi tarafÄ±ndan almasÄ± amaÃ§lanan yetkili gerÃ§ek ya da tÃ¼zel <br>
kiÅŸinin kullanÄ±mÄ± iÃ§indir. EÄŸer sÃ¶z konusu yetkili alÄ±cÄ± deÄŸilseniz
bu <br> elektronik postanÄ±n iÃ§eriÄŸini aÃ§Ä±klamanÄ±z, kopyalamanÄ±z, <br>
yÃ¶nlendirmeniz ve kullanmanÄ±z kesinlikle yasaktÄ±r ve bu elektronik <br>
postayÄ± derhal silmeniz gerekmektedir. TurkNet bu mesajÄ±n iÃ§erdiÄŸi <br>
bilgilerin doÄŸruluÄŸu veya eksiksiz olduÄŸu konusunda herhangi bir <br>
garanti vermemektedir. Bu nedenle bu bilgilerin ne ÅŸekilde olursa <br> olsun
iÃ§eriÄŸinden, iletilmesinden, alÄ±nmasÄ±ndan ve saklanmasÄ±ndan sorumlu
deÄŸildir. Bu mesajdaki gÃ¶rÃ¼ÅŸler yalnÄ±zca gÃ¶nderen kiÅŸiye aittir ve
TurkNet'in gÃ¶rÃ¼ÅŸlerini yansÄ±tmayabilir. Bu e-posta bilinen
bÃ¼tÃ¼n bilgisayar virÃ¼slerine karÅŸÄ± taranmÄ±ÅŸtÄ±r.<br><hr><br> This
e-mail and any files transmitted with it are confidential and <br> intended
solely for the use of the individual or entity to whom they <br> are
addressed. If you are not the intended recipient you are hereby <br> notified
that any dissemination, forwarding, copying or use of any of <br> the
information is strictly prohibited, and the e-mail should <br> immediately be
deleted. TurkNet makes no warranty as to the accuracy <br> or completeness of
any information contained in this message and <br> hereby excludes any
liability of any kind for the information <br> contained therein or for the
information transmission, reception, <br> storage or use of such in any way
whatsoever. The opinions expressed in this message belong to sender alone and
may not necessarily reflect the opinions of TurkNet. This e-mail has been
scanned for all known computer viruses.<br><br><br> --<br> MailScanner mailing
list<br>
mailscanner at lists.mailscanner.info<br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><br><br><br>
--<br> MailScanner mailing list<br> mailscanner at lists.mailscanner.info<br> <a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a></blockquote><br><br><br><br>--<br>MailScanner
mailing list<br>mailscanner at lists.mailscanner.info<br><a
href="http://lists.mailscanner.info/listinfo/mailscanner">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><br><br></pre></blockquote></div></body></html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160827/1c8b6b55/attachment.html>