Denial Of Service Attack Messages

Shawn Iverson iversons at rushville.k12.in.us
Fri May 13 17:27:11 UTC 2016 

I have been watching this DoS stuff now for a while.

I am wondering if this issue is triggered during high load (similar to an
actual DoS)

Would it be possible to set up a MailScanner test environment and do a load
bearing test against mailscanner?  Perhaps just an MTA with a script to
send massive amounts of mail to a mailscanner instance?

I want to get to the bottom of this.



On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <
michael.boettger at crossip.net> wrote:

>
> Hello,
>
> we are currently running MailScanner in combination with the following
> setup:
>
> MailWatch Version:1.2.0 - RC1 DEV
> MailScanner Version:4.85.2
> ClamAV Version:0.99.1
> SpamAssassin Version:3.4.0
> PHP Version:5.4.16
> MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)
>
> CentOS Linux release 7.2.1511 (Core)
>
> 6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz
>
> virtualiced in a Virtuozzo 6.0 CloudServer environment
>
>
> processing about 20-24000 mails per day and we do get about 30-50 "Denial
> of Service attack" mails, which are not moved to the quarantine location as
> advertised in the „disarmed“ mail.
>
>
> After reading trough the Maillinglist we have set -> Maximum Processing
> Attempts = 0
>
> Which also doesnt’help, and have disabled -> Dangerous Content Scanning =
> no
>
>
> We could anly see such messages with the following log entries:
>
> May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from
> some_address at returns.groups.yahoo.com
>
> May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 11057A0844.AB59A from
> some_address at coldiretti.it
>
> May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from
> some_address at googlegroups.com
>
> May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from
> some_address at csak1utazas.hu
>
> May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from
> some_address at coldiretti.it
>
> May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from
> some_address at paypal.at
>
> May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from
> some_address at billa.at
>
> May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from
> some_address at coldiretti.it
>
> May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from
> some_address at amazonses.com
>
> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from
> some_address at vetmeduni.ac.at
>
> May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from
> some_address at xing.com
>
>
> Here are the whole log entris for a particular mail:
>
>
> May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=
> mail.meduniwien.ac.at[149.148.224.72]
>
> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header
> Received: from mailfp2.srv.meduniwien.ac.at (mail.meduniwien.ac.at
> [149.148.224.72])??by mx01.mail.netstorage.at (Postfix) with ESMTPS id
> EAE58A0DBC??for <some_address at jensen-jarolim.at>; Fri, 13 May 2016 03
> from mail.meduniwien.ac.at[149.148.224.72]; from=<
> some_address at vetmeduni.ac.at> to=<some_address at jensen-jarolim.at>
> proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at>
>
> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<
> 8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com>
>
> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC:
> resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at>
>
> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have
> disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from
> some_address at vetmeduni.ac.at
>
> May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to
> D0A8EA15C3
>
> May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<
> some_address at vetmeduni.ac.at>, size=25282, nrcpt=1 (queue active)
>
> May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<
> some_address at jensen-jarolim.at>, relay=mailfilter01.crossip.net[89.207.144.61]:25,
> delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued
> as 3578F5C00D2)
>
> May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed
>
>
>
> We have also done the test for missing Perl extensions, and all are
> present.
>
>
> We could catch some of these emails and will directly forward them to Jerry
> Benton
>
> Mit freundlichen Grüßen,
> With best regards,
>
> Michael Böttger
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160513/c9672292/attachment.html>

More information about the MailScanner mailing list