Messages being disarmed

Mark Sapiro mark at msapiro.net
Thu Dec 8 06:49:20 UTC 2016


On 12/07/2016 01:55 PM, Jason Waters wrote:
> 
> MailScanner was attacked by a Denial Of Service attack, and has
> therefore deleted this part of the message. Please contact your e-mail
> providers for more information if you need it, giving them the whole of
> this report. Attack in:
> /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html 


This file only exists during processing. It's gone by the time you see
this message.

You may find the message in
/var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but
probably not. In any case, I think the error is permission related and
doesn't depend on the message content.


> Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 -A5)
> 
> 
> 
> Dec  7 12:59:47 mailscanner MailScanner[6797]: <A> '
> 25ACEE03FD.AE977 from user at remoteemail.com <mailto:user at remoteemail.com>
> 
> Dec  7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in
> message 25ACEE03FD.AE977 from user at remoteemail.com
> <mailto:user at remoteemail.com>
> 
> Dec  7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time
> reached
> 
> Dec  7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist
> 
> Dec  7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries
> 
> Dec  7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died,
> status = 13


MailScanner forks a child to do the actual HTML parse and disarm. The
child died with error 13 which is a permissions issue.  What is
ownership and permissions on /var/spool/MailScanner/ and its various
subdirectories?


> Dec  7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected
> and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977
> from user at remoteemail.com <mailto:user at remoteemail.com>


This is a direct result of the above. It just says the disarming died.


-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list