Messages being disarmed

Jason Waters jason at geeknocity.com
Thu Dec 8 15:04:05 UTC 2016 

Is there a way that I can test it on my own?  So if I email a message that
has certain HTML tags? will that do it?  Seems odd because I'm not getting
a ton that do it.  Thanks again.

Jason

On Thu, Dec 8, 2016 at 8:02 AM, Jason Waters <jason at geeknocity.com> wrote:

> drwxrwxr-x  6 postfix www-data 4096 Nov 15 13:17 MailScanner
>
> drwxrwxr-x  2 postfix www-data 4096 Nov  9 14:12 archive
> drwxrwx--- 10 root    mtagroup 4096 Dec  8 08:01 incoming
> drwxrwxr-x 32 root    www-data 4096 Dec  8 00:02 quarantine
> -rw-------  1 postfix postfix    23 Nov 15 13:14 servers
> drwxrwxr-x  2 postfix www-data 4096 Nov  9 14:23 spamassassin
>
>
> some of my settings in MailScanner.conf
> Incoming Work Group = mtagroup
> Incoming Work Permissions = 0660
> Quarantine User = root
> Quarantine Group = www-data
>
> Thank you for your help!
>
>
> On Thu, Dec 8, 2016 at 1:49 AM, Mark Sapiro <mark at msapiro.net> wrote:
>
>> On 12/07/2016 01:55 PM, Jason Waters wrote:
>> >
>> > MailScanner was attacked by a Denial Of Service attack, and has
>> > therefore deleted this part of the message. Please contact your e-mail
>> > providers for more information if you need it, giving them the whole of
>> > this report. Attack in:
>> > /var/spool/MailScanner/incoming/6797/25ACEE03FD.AE977/nmsg-6797-37.html
>>
>>
>> This file only exists during processing. It's gone by the time you see
>> this message.
>>
>> You may find the message in
>> /var/spool/MailScanner/quarantine/20161207/25ACEE03FD.AE977/message, but
>> probably not. In any case, I think the error is permission related and
>> doesn't depend on the message content.
>>
>>
>> > Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5
>> -A5)
>> >
>> >
>> >
>> > Dec  7 12:59:47 mailscanner MailScanner[6797]: <A> '
>> > 25ACEE03FD.AE977 from user at remoteemail.com <mailto:user at remoteemail.com
>> >
>> >
>> > Dec  7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in
>> > message 25ACEE03FD.AE977 from user at remoteemail.com
>> > <mailto:user at remoteemail.com>
>> >
>> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time
>> > reached
>> >
>> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist
>> >
>> > Dec  7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries
>> >
>> > Dec  7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died,
>> > status = 13
>>
>>
>> MailScanner forks a child to do the actual HTML parse and disarm. The
>> child died with error 13 which is a permissions issue.  What is
>> ownership and permissions on /var/spool/MailScanner/ and its various
>> subdirectories?
>>
>>
>> > Dec  7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected
>> > and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977
>> > from user at remoteemail.com <mailto:user at remoteemail.com>
>>
>>
>> This is a direct result of the above. It just says the disarming died.
>>
>>
>> --
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161208/fe3f275f/attachment.html>

More information about the MailScanner mailing list