Denial Of Service Attack Messages

Shawn Iverson iversons at rushville.k12.in.us
Mon Mar 14 11:42:49 UTC 2016


That doesn't look like a DoS message to me.  It looks like an HTML tag
disarm message.

On Mon, Mar 14, 2016 at 6:48 AM, Andrew Southgate <andy at z00b.com> wrote:

> *Maximum Processing Attempts = 0*
>
>
>
> I set that, restarted MailScanner and have just had another DoS message
>
>
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Blacklist refresh time reached
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Starting up SQL Blacklist
>
> Mar 14 10:19:31 hermes MailScanner[17065]: Read 12 blacklist entries
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 73AC282B1055.AFD69 from
> <redacted>
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Requeue: 73AC282B1055.AFD69 to
> 1C3D582B105F
>
> Mar 14 10:19:35 hermes MailScanner[17065]: Uninfected: Delivered 1 messages
>
> Mar 14 10:19:35 hermes postfix/qmgr[40123]: 1C3D582B105F:
> from<redacted>size=40013, nrcpt=1 (queue active)
>
> Mar 14 10:19:37 hermes postfix/smtp[18564]: 1C3D582B105F: to<redacted>,
> relay=<redacted>:25, delay=38, delays=35/0.03/0.61/1.8, dsn=2.6.0,
> status=sent (250 2.6.0 <006501d17dda$ed219a80$c764cf80$@com>
> [InternalId=74135430497647, Hostname=<redacted>] 27900 bytes in 0.276,
> 98.491 KB/sec Queued mail for delivery)
>
> Mar 14 10:19:37 hermes postfix/qmgr[40123]: 1C3D582B105F: removed
>
>
>
> For anyone who wanted a maillog of it happenning.
>
>
>
> the message contents became:
>
>
>
> MailScanner was attacked by a Denial Of Service attack, and has therefore
> deleted this part of the message. Please contact your e-mail providers for
> more information if you need it, giving them the whole of this report.
> Attack in:
> /var/spool/MailScanner/incoming/17065/73AC282B1055.AFD69/nmsg-17065-2.html
>
>
>
> I dont want to include the source email but it was just a random
> conversation with my other half and nothing particularly special
>
>
>
>
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+andy=
> z00b.com at lists.mailscanner.info] *On Behalf Of *Richard Mealing
> *Sent:* 08 March 2016 13:25
> *To:* MailScanner Discussion
> *Subject:* RE: Denial Of Service Attack Messages
>
>
>
> Have you tried -
>
> Maximum Processing Attempts = 0 # to disable the rule.
>
>
>
> I did this a few years ago as I got these problems. I’ve never looked
> back.
>
> I used to have to cd /var/db/clamav && rm * && freshclam (then download
> any extra sigs).
>
>
>
> It was such an annoyance and I never found the problem. Obviously clamd
> wasn’t liking something, but I used so many extra sigs I couldn’t narrow it
> down.
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info
> <mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info>] *On
> Behalf Of *Valentin Laskov
> *Sent:* 08 March 2016 13:08
> *To:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Sometimes this occurs just after updating clamav signatures while clamd
> reloads new signatures.
>
> На 08.03.2016 в 14:53, Andrew Southgate написа:
>
> Its random and sporadic for me, but I havent had it occur in the last week
> so I dont have logs for it.
>
>
>
> That script gave everything an OK for me, and which timeout is it in
> MailScanner.conf, the SpamAssassin one?
>
>
>
> SpamAssassin Timeout = 75
>
>
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info
> <mailscanner-bounces+andy=z00b.com at lists.mailscanner.info>] *On Behalf Of
> *Jerry Benton
> *Sent:* 08 March 2016 12:19
> *To:* MailScanner Discussion
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Thanks Andrew.
>
>
>
> Could those people seeing this error please check your Perl modules using
> this script:
>
>
>
> https://github.com/MailScanner/v4/blob/master/check_modules.sh
>
>
>
>
>
> Also make sure your timeout settings in MailScanner.conf are not too
> short. I cannot remember if I reduced the defaults in MailScanner.conf. I
> will have to review the changes.
>
>
>
> Also please check your logs for as much information as possible and send
> it to the list. Please try to filter out the important parts and send only
> that information.
>
>
>
>
>
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
>
>
>
>
>
>
> On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:
>
>
>
> I'm getting it on 4.85.2-3
>
>
>
> *From:* MailScanner [
> mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info
> <mailscanner-bounces+andy=z00b.com at lists.mailscanner.info>] *On Behalf
> Of *Jerry Benton
> *Sent:* 08 March 2016 11:50
> *To:* MailScanner Discussion
> *Subject:* Re: Denial Of Service Attack Messages
>
>
>
> Just so everyone knows, 4.86.1 is not released. It is beta. It looks like
> I need to go back through the changes made between the two versions unless
> someone is seeing this in 4.85.2-3.
>
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
>
>
>
>
>
>
> On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:
>
>
>
> Yes.  I recently upgraded to 4.86.1-1 and the install log shows:
>
> HTML::Parser => OK
>
>
> On 03/07/2016 10:19 AM, Jerry Benton wrote:
>
> is the HTML parser installed?
>
> -
>
> Jerry Benton
>
> www.mailborder.com
>
> Sent from my iPhone
>
>
> On Mar 7, 2016, at 11:25, Steven Jardine <steve at mjnservices.com> wrote:
>
> I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1.
> Often I am getting the error message:
>
> MailScanner was attacked by a Denial Of Service attack, and has therefore
> deleted this part of the message. Please contact your e-mail providers for
> more information if you need it, giving them the whole of this report.
> Attack in:
> /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html
>
> The file reported in the attack is not there so I am unable to to any
> troubleshooting.
>
> I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The
> messages are causing problems with valid mail messages both incoming and
> outgoing.
>
> Is there a way to disable this feature?  Any ideas on how to suppress
> these messages?
>
>
> Thanks!
> Steve
>
> *IMPORTANT:* This email does not constitute a contract or an offer or
> acceptance of an offer to enter into a contract. Further, this email may
> not be used to modify, supplement, novate, or waive any rights with respect
> to an existing contract or other binding commercial terms.
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
>
>
>
>
> *IMPORTANT:* This email does not constitute a contract or an offer or
> acceptance of an offer to enter into a contract. Further, this email may
> not be used to modify, supplement, novate, or waive any rights with respect
> to an existing contract or other binding commercial terms.
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Поздрави!
>
>
>
> Валентин Ласков
>
> Отговорник КИПО
>
> "Феста Холдинг" АД
>
> бул. "Вл. Варненчик" 48
>
> 9000 гр. Варна
>
> тел.:   +359 52 669137
>
> GSM: +359 888 669137
>
> Fax:   +359 52 669110
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/7a402cd5/attachment.html>


More information about the MailScanner mailing list