Denial Of Service Attack Messages

Steven Jardine steve at mjnservices.com
Wed Jun 1 17:50:01 UTC 2016 

OK.  So I upgraded to v5.0.2-1 and I created a group called mtagroup and 
added smmsp, smmta, www-data, clamav to the group.  I changed the:

Incoming Work User = clamav
Incoming Work Group = mtagroup
Incoming Work Permissions = 0660

Also, I set in clamd.conf:

AllowSupplementaryGroups true

Still showing the problem.  Maybe 30 messages today have the error.

All look like this:

Jun  1 05:50:14 mail MailScanner[4864]: Virus and Content Scanning: Starting
Jun  1 05:50:20 mail MailScanner[4864]: HTML disarming died, status = 13
Jun  1 05:50:20 mail MailScanner[4864]: Content Checks: Detected and 
have disarmed KILLED tags in HTML message in u51BoCcl030596 from 
bounce-21178_html-182046758-2943000-10142840-4602 at bounce.homedepotemail.com

Any ideas? Is there a way to add additional logging?  It also seems to 
me like it would be better to allow these messages be delivered without 
modification rather than removing the content with the denial of service 
attack message.

Thanks!
Steve

On 05/29/2016 04:26 AM, Jerry Benton wrote:
> With v5.0.2-1 and the Incoming Work User set to clamav (or whatever it is for your system) I have not seen any more failures where a process was killed. I also set work permissions to 0660 and the incoming work group to mtagroup making sure that postfix, clam, etc. users are in the group. I also allow supplementary groups in clamd.conf.
>
> Side note: I am not seen any errors where clam was unable to read the .header for extracted files anymore either.
>
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On May 27, 2016, at 11:57 PM, Mark Sapiro <mark at msapiro.net> wrote:
>>
>> On 05/24/2016 02:27 PM, Steven Jardine wrote:
>>> I would say that 25% of the disarm messages were
>>>
>>> Content Checks: Detected and have disarmed KILLED tags in HTML message...
>>>
>>> and they produced the Denial Of Service Attack messages.
>>>
>>> The others look like this:
>>>
>>> Content Checks: Detected and have disarmed phishing tags in HTML message
>>> ...
>>
>> OK, so it fails intermittently, about 25% of the time.
>>
>>
>>> I have no idea why there would be any kind of permission error.  If my
>>> permissions weren't set right I would be having all kinds of errors, right?
>>
>> I would think so, but the latest v5.0.2-1 version
>> <https://www.mailscanner.info/downloads/> has some changes in the
>> permissions used for temp work files and may help. I suggest you try
>> this one and report what happens with it.
>>
>> -- 
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>



IMPORTANT: This email does not constitute a contract or an offer of acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms. MJN Services, Inc. conducts business under our service terms and conditions found at www.mjnservices.com unless otherwise agreed to in writing by an officer of MJN Services, Inc. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160601/b4e1cdde/attachment.html>

More information about the MailScanner mailing list