Denial Of Service Attack Messages

Michael Böttger michael.boettger at crossip.net
Fri May 13 08:22:07 UTC 2016 

Hello,

we are currently running MailScanner in combination with the following setup:

MailWatch Version:1.2.0 - RC1 DEV
MailScanner Version:4.85.2
ClamAV Version:0.99.1
SpamAssassin Version:3.4.0
PHP Version:5.4.16
MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)

CentOS Linux release 7.2.1511 (Core)

6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz

virtualiced in a Virtuozzo 6.0 CloudServer environment


processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.


After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0

Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no


We could anly see such messages with the following log entries:

May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from some_address at returns.groups.yahoo.com

May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from some_address at coldiretti.it

May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from some_address at googlegroups.com

May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from some_address at csak1utazas.hu

May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from some_address at coldiretti.it

May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from some_address at paypal.at

May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from some_address at billa.at

May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from some_address at coldiretti.it

May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from some_address at amazonses.com

May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at

May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from some_address at xing.com


Here are the whole log entris for a particular mail:


May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=mail.meduniwien.ac.at[149.148.224.72]

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header Received: from mailfp2.srv.meduniwien.ac.at (mail.meduniwien.ac.at [149.148.224.72])??by mx01.mail.netstorage.at (Postfix) with ESMTPS id EAE58A0DBC??for <some_address at jensen-jarolim.at>; Fri, 13 May 2016 03 from mail.meduniwien.ac.at[149.148.224.72]; from=<some_address at vetmeduni.ac.at> to=<some_address at jensen-jarolim.at> proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at>

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com>

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at>

May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at

May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to D0A8EA15C3

May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<some_address at vetmeduni.ac.at>, size=25282, nrcpt=1 (queue active)

May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<some_address at jensen-jarolim.at>, relay=mailfilter01.crossip.net[89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)

May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed



We have also done the test for missing Perl extensions, and all are present.


We could catch some of these emails and will directly forward them to Jerry Benton

Mit freundlichen Grüßen,
With best regards,

Michael Böttger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160513/82699e0b/attachment.html>

More information about the MailScanner mailing list