Denial Of Service Attack Messages

Steven Jardine steve at mjnservices.com
Mon Jun 6 17:23:05 UTC 2016 

I am not really trying to be a nuisance on this but this is still 
happening way too often.  Legitimate emails are getting completely wiped 
out.  Are there any ideas for how to best find out what is causing the 
"status = 13" error?

Thanks!
Steve

On 06/01/2016 11:50 AM, Steven Jardine wrote:
> OK.  So I upgraded to v5.0.2-1 and I created a group called mtagroup 
> and added smmsp, smmta, www-data, clamav to the group.  I changed the:
>
> Incoming Work User = clamav
> Incoming Work Group = mtagroup
> Incoming Work Permissions = 0660
>
> Also, I set in clamd.conf:
>
> AllowSupplementaryGroups true
>
> Still showing the problem.  Maybe 30 messages today have the error.
>
> All look like this:
>
> Jun  1 05:50:14 mail MailScanner[4864]: Virus and Content Scanning: 
> Starting
> Jun  1 05:50:20 mail MailScanner[4864]: HTML disarming died, status = 13
> Jun  1 05:50:20 mail MailScanner[4864]: Content Checks: Detected and 
> have disarmed KILLED tags in HTML message in u51BoCcl030596 from 
> bounce-21178_html-182046758-2943000-10142840-4602 at bounce.homedepotemail.com
>
> Any ideas? Is there a way to add additional logging?  It also seems to 
> me like it would be better to allow these messages be delivered 
> without modification rather than removing the content with the denial 
> of service attack message.
>
> Thanks!
> Steve
>
> On 05/29/2016 04:26 AM, Jerry Benton wrote:
>> With v5.0.2-1 and the Incoming Work User set to clamav (or whatever it is for your system) I have not seen any more failures where a process was killed. I also set work permissions to 0660 and the incoming work group to mtagroup making sure that postfix, clam, etc. users are in the group. I also allow supplementary groups in clamd.conf.
>>
>> Side note: I am not seen any errors where clam was unable to read the .header for extracted files anymore either.
>>
>>
>>
>> -
>> Jerry Benton
>> www.mailborder.com
>>
>>
>>
>>> On May 27, 2016, at 11:57 PM, Mark Sapiro<mark at msapiro.net>  wrote:
>>>
>>> On 05/24/2016 02:27 PM, Steven Jardine wrote:
>>>> I would say that 25% of the disarm messages were
>>>>
>>>> Content Checks: Detected and have disarmed KILLED tags in HTML message...
>>>>
>>>> and they produced the Denial Of Service Attack messages.
>>>>
>>>> The others look like this:
>>>>
>>>> Content Checks: Detected and have disarmed phishing tags in HTML message
>>>> ...
>>> OK, so it fails intermittently, about 25% of the time.
>>>
>>>
>>>> I have no idea why there would be any kind of permission error.  If my
>>>> permissions weren't set right I would be having all kinds of errors, right?
>>> I would think so, but the latest v5.0.2-1 version
>>> <https://www.mailscanner.info/downloads/>  has some changes in the
>>> permissions used for temp work files and may help. I suggest you try
>>> this one and report what happens with it.
>>>
>>> -- 
>>> Mark Sapiro<mark at msapiro.net>         The highway is for gamblers,
>>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>>
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/listinfo/mailscanner
>>>
>>
>
> *IMPORTANT:* This email does not constitute a contract or an offer of 
> acceptance of an offer to enter into a contract. Further, this email 
> may not be used to modify, supplement, novate, or waive any rights 
> with respect to an existing contract or other binding commercial 
> terms. MJN Services, Inc. conducts business under our service terms 
> and conditions found at www.mjnservices.com unless otherwise agreed to 
> in writing by an officer of MJN Services, Inc.
>
>
>



IMPORTANT: This email does not constitute a contract or an offer of acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms. MJN Services, Inc. conducts business under our service terms and conditions found at www.mjnservices.com unless otherwise agreed to in writing by an officer of MJN Services, Inc. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160606/dd762e38/attachment.html>

More information about the MailScanner mailing list