Denial Of Service Attack Messages

Mon Mar 14 12:07:26 UTC 2016

but an HTML tag disarm shouldnt replace the contents of the email with "MailScanner was attacked by a Denial Of Service attack..." should it ? 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: 14 March 2016 11:43
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

That doesn't look like a DoS message to me.  It looks like an HTML tag disarm message.

On Mon, Mar 14, 2016 at 6:48 AM, Andrew Southgate <andy at z00b.com> wrote:

Maximum Processing Attempts = 0

I set that, restarted MailScanner and have just had another DoS message

Mar 14 10:19:31 hermes MailScanner[17065]: Blacklist refresh time reached

Mar 14 10:19:31 hermes MailScanner[17065]: Starting up SQL Blacklist

Mar 14 10:19:31 hermes MailScanner[17065]: Read 12 blacklist entries

Mar 14 10:19:35 hermes MailScanner[17065]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 73AC282B1055.AFD69 from <redacted>

Mar 14 10:19:35 hermes MailScanner[17065]: Requeue: 73AC282B1055.AFD69 to 1C3D582B105F

Mar 14 10:19:35 hermes MailScanner[17065]: Uninfected: Delivered 1 messages

Mar 14 10:19:35 hermes postfix/qmgr[40123]: 1C3D582B105F: from<redacted>size=40013, nrcpt=1 (queue active)

Mar 14 10:19:37 hermes postfix/smtp[18564]: 1C3D582B105F: to<redacted>, relay=<redacted>:25, delay=38, delays=35/0.03/0.61/1.8, dsn=2.6.0, status=sent (250 2.6.0 <006501d17dda$ed219a80$c764cf80$@com> [InternalId=74135430497647, Hostname=<redacted>] 27900 bytes in 0.276, 98.491 KB/sec Queued mail for delivery)

Mar 14 10:19:37 hermes postfix/qmgr[40123]: 1C3D582B105F: removed

For anyone who wanted a maillog of it happenning.

the message contents became:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/17065/73AC282B1055.AFD69/nmsg-17065-2.html 

I dont want to include the source email but it was just a random conversation with my other half and nothing particularly special

From: MailScanner [mailto:mailscanner-bounces+andy <mailto:mailscanner-bounces%2Bandy> =z00b.com at lists.mailscanner.info] On Behalf Of Richard Mealing
Sent: 08 March 2016 13:25
To: MailScanner Discussion
Subject: RE: Denial Of Service Attack Messages

Have you tried - 

Maximum Processing Attempts = 0 # to disable the rule.

I did this a few years ago as I got these problems. I’ve never looked back. 

I used to have to cd /var/db/clamav && rm * && freshclam (then download any extra sigs). 

It was such an annoyance and I never found the problem. Obviously clamd wasn’t liking something, but I used so many extra sigs I couldn’t narrow it down. 

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Valentin Laskov
Sent: 08 March 2016 13:08
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Denial Of Service Attack Messages

Sometimes this occurs just after updating clamav signatures while clamd reloads new signatures.

На 08.03.2016 в 14:53, Andrew Southgate написа:

Its random and sporadic for me, but I havent had it occur in the last week so I dont have logs for it.

That script gave everything an OK for me, and which timeout is it in MailScanner.conf, the SpamAssassin one?

SpamAssassin Timeout = 75

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 12:19
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

Thanks Andrew.

Could those people seeing this error please check your Perl modules using this script:

https://github.com/MailScanner/v4/blob/master/check_modules.sh

Also make sure your timeout settings in MailScanner.conf are not too short. I cannot remember if I reduced the defaults in MailScanner.conf. I will have to review the changes. 

Also please check your logs for as much information as possible and send it to the list. Please try to filter out the important parts and send only that information. 

-

Jerry Benton

www.mailborder.com

On Mar 8, 2016, at 6:54 AM, Andrew Southgate <andy at z00b.com> wrote:

I'm getting it on 4.85.2-3

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: 08 March 2016 11:50
To: MailScanner Discussion
Subject: Re: Denial Of Service Attack Messages

Just so everyone knows, 4.86.1 is not released. It is beta. It looks like I need to go back through the changes made between the two versions unless someone is seeing this in 4.85.2-3.

-

Jerry Benton

www.mailborder.com

On Mar 7, 2016, at 12:21 PM, Steven Jardine <steve at mjnservices.com> wrote:

Yes.  I recently upgraded to 4.86.1-1 and the install log shows:

HTML::Parser => OK

On 03/07/2016 10:19 AM, Jerry Benton wrote:

is the HTML parser installed?

-

Jerry Benton

www.mailborder.com

Sent from my iPhone

On Mar 7, 2016, at 11:25, Steven Jardine < <mailto:steve at mjnservices.com> steve at mjnservices.com> wrote:

I upgraded MailScanner several months ago to v4.85.2-3 and now v4.86.1-1. Often I am getting the error message:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/20499/u27Em5eK000564/nmsg-20499-47.html

The file reported in the attack is not there so I am unable to to any troubleshooting.

I am using a OpenVZ container with Ubuntu 14.04 - 6 CPUs and 12GB RAM. The messages are causing problems with valid mail messages both incoming and outgoing.

Is there a way to disable this feature?  Any ideas on how to suppress these messages?

Thanks!
Steve

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

IMPORTANT: This email does not constitute a contract or an offer or acceptance of an offer to enter into a contract. Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms.

-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

-- 
MailScanner mailing list
 <mailto:mailscanner at lists.mailscanner.info> mailscanner at lists.mailscanner.info
 <http://lists.mailscanner.info/listinfo/mailscanner> http://lists.mailscanner.info/listinfo/mailscanner

-- 
Поздрави!

Валентин Ласков
Отговорник КИПО
"Феста Холдинг" АД
бул. "Вл. Варненчик" 48
9000 гр. Варна
тел.:   +359 52 669137 <tel:%2B359%2052%20669137> 
GSM: +359 888 669137 <tel:%2B359%20888%20669137> 
Fax:   +359 52 669110 <tel:%2B359%2052%20669110> 

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner

-- 

Shawn Iverson

Director of Technology

Rush County Schools

765-932-3901 x271

iversons at rushville.k12.in.us

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160314/cfea8a53/attachment.html>