Denial Of Service Attack Messages

Andy Southgate andy at z00b.com
Fri May 13 18:07:04 UTC 2016 

Well in my case the server has an extremely light load, a handful of domains with 5 users total. Fairly high proportion of spam in some cases but still pretty puny. 

 

Server is a low powered 32gb ram, 8x atom core home server, with mailscanner running under a VM and given 3 cores and 8gb ram and I’ve certainly never noticed it stressed but it was a new build with mailscanner 4.85.2 installed. It replaced an old dual core p4 running an ancient install of mailscanner with the same domain setup fine.

 

I’m not sure if one commonality across all of us having the issue is running mailscanner under a VM?

 

 

From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: 13 May 2016 18:27
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Denial Of Service Attack Messages

 

I have been watching this DoS stuff now for a while.

 

I am wondering if this issue is triggered during high load (similar to an actual DoS)

 

Would it be possible to set up a MailScanner test environment and do a load bearing test against mailscanner?  Perhaps just an MTA with a script to send massive amounts of mail to a mailscanner instance?

 

I want to get to the bottom of this.

 

 

 

On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <michael.boettger at crossip.net <mailto:michael.boettger at crossip.net> > wrote:

 

Hello,

 

we are currently running MailScanner in combination with the following setup:

 

MailWatch Version:1.2.0 - RC1 DEV
MailScanner Version:4.85.2
ClamAV Version:0.99.1 
SpamAssassin Version:3.4.0 
PHP Version:5.4.16
MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)

CentOS Linux release 7.2.1511 (Core) 

6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz

virtualiced in a Virtuozzo 6.0 CloudServer environment

 

processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.

 

After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0

Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no

 

We could anly see such messages with the following log entries:

May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from some_address at returns.groups.yahoo.com <mailto:some_address at returns.groups.yahoo.com> 

May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from some_address at coldiretti.it <mailto:some_address at coldiretti.it> 

May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from some_address at googlegroups.com <mailto:some_address at googlegroups.com> 

May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from some_address at csak1utazas.hu <mailto:some_address at csak1utazas.hu> 

May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from some_address at coldiretti.it <mailto:some_address at coldiretti.it> 

May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from some_address at paypal.at <mailto:some_address at paypal.at> 

May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from some_address at billa.at <mailto:some_address at billa.at> 

May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from some_address at coldiretti.it <mailto:some_address at coldiretti.it> 

May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from some_address at amazonses.com <mailto:some_address at amazonses.com> 

May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at> 

May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from some_address at xing.com <mailto:some_address at xing.com> 

 

Here are the whole log entris for a particular mail:

 

May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=mail.meduniwien.ac.at <http://mail.meduniwien.ac.at> [149.148.224.72]

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header Received: from mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at>  (mail.meduniwien.ac.at <http://mail.meduniwien.ac.at>  [149.148.224.72])??by mx01.mail.netstorage.at <http://mx01.mail.netstorage.at>  (Postfix) with ESMTPS id EAE58A0DBC??for <some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at> >; Fri, 13 May 2016 03 from mail.meduniwien.ac.at <http://mail.meduniwien.ac.at> [149.148.224.72]; from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at> > to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at> > proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at> >

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com <mailto:8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com> >

May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at <mailto:20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at> >

May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at> 

May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to D0A8EA15C3

May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at> >, size=25282, nrcpt=1 (queue active)

May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at> >, relay=mailfilter01.crossip.net <http://mailfilter01.crossip.net> [89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)

May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed

 

 

We have also done the test for missing Perl extensions, and all are present.

 

We could catch some of these emails and will directly forward them to Jerry Benton

 

Mit freundlichen Grüßen,

With best regards,

 

Michael Böttger

 




--
MailScanner mailing list
mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> 
http://lists.mailscanner.info/listinfo/mailscanner







 

-- 

Shawn Iverson

Director of Technology

Rush County Schools

765-932-3901 x271

iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us> 

 

  <https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160513/d2542f8a/attachment.html>

More information about the MailScanner mailing list