Messages being disarmed

Jason Waters jason at geeknocity.com
Thu Dec 8 13:02:52 UTC 2016 

drwxrwxr-x  6 postfix www-data 4096 Nov 15 13:17 MailScanner

drwxrwxr-x  2 postfix www-data 4096 Nov  9 14:12 archive
drwxrwx--- 10 root    mtagroup 4096 Dec  8 08:01 incoming
drwxrwxr-x 32 root    www-data 4096 Dec  8 00:02 quarantine
-rw-------  1 postfix postfix    23 Nov 15 13:14 servers
drwxrwxr-x  2 postfix www-data 4096 Nov  9 14:23 spamassassin


some of my settings in MailScanner.conf
Incoming Work Group = mtagroup
Incoming Work Permissions = 0660
Quarantine User = root
Quarantine Group = www-data

Thank you for your help!


On Thu, Dec 8, 2016 at 1:49 AM, Mark Sapiro <mark at msapiro.net> wrote:

> On 12/07/2016 01:55 PM, Jason Waters wrote:
> >
> > MailScanner was attacked by a Denial Of Service attack, and has
> > therefore deleted this part of the message. Please contact your e-mail
> > providers for more information if you need it, giving them the whole of
> > this report. Attack in:
> > /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html
>
>
> This file only exists during processing. It's gone by the time you see
> this message.
>
> You may find the message in
> /var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but
> probably not. In any case, I think the error is permission related and
> doesn't depend on the message content.
>
>
> > Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5
> -A5)
> >
> >
> >
> > Dec  7 12:59:47 mailscanner MailScanner[6797]: <A> '
> > 25ACEE03FD.AE977 from user at remoteemail.com <mailto:user at remoteemail.com>
> >
> > Dec  7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in
> > message 25ACEE03FD.AE977 from user at remoteemail.com
> > <mailto:user at remoteemail.com>
> >
> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time
> > reached
> >
> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist
> >
> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries
> >
> > Dec  7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died,
> > status = 13
>
>
> MailScanner forks a child to do the actual HTML parse and disarm. The
> child died with error 13 which is a permissions issue.  What is
> ownership and permissions on /var/spool/MailScanner/ and its various
> subdirectories?
>
>
> > Dec  7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected
> > and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977
> > from user at remoteemail.com <mailto:user at remoteemail.com>
>
>
> This is a direct result of the above. It just says the disarming died.
>
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161208/1b7cc5ef/attachment.html>

More information about the MailScanner mailing list