Denial Of Service Attack Messages

Fri May 13 19:53:23 UTC 2016

It is possible that the number of files in limits.conf needs to be expanded. If you are already near the system default limit, then a message that requires a number of additional handles open could cause an error. But I am not sure if this is really the case.

I need to see the raw source of a message that caused the problem as well as the portion that MailScanner is removing. 

-
Jerry Benton
www.mailborder.com

> On May 13, 2016, at 2:07 PM, Andy Southgate <andy at z00b.com> wrote:
> 
> Well in my case the server has an extremely light load, a handful of domains with 5 users total. Fairly high proportion of spam in some cases but still pretty puny. 
>  
> Server is a low powered 32gb ram, 8x atom core home server, with mailscanner running under a VM and given 3 cores and 8gb ram and I’ve certainly never noticed it stressed but it was a new build with mailscanner 4.85.2 installed. It replaced an old dual core p4 running an ancient install of mailscanner with the same domain setup fine.
>  
> I’m not sure if one commonality across all of us having the issue is running mailscanner under a VM?
>  
>  
> From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
> Sent: 13 May 2016 18:27
> To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
> Subject: Re: Denial Of Service Attack Messages
>  
> I have been watching this DoS stuff now for a while.
>  
> I am wondering if this issue is triggered during high load (similar to an actual DoS)
>  
> Would it be possible to set up a MailScanner test environment and do a load bearing test against mailscanner?  Perhaps just an MTA with a script to send massive amounts of mail to a mailscanner instance?
>  
> I want to get to the bottom of this.
>  
>  
>  
> On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <michael.boettger at crossip.net <mailto:michael.boettger at crossip.net>> wrote:
>>  
>> Hello,
>>  
>> we are currently running MailScanner in combination with the following setup:
>>  
>> MailWatch Version:1.2.0 - RC1 DEV
>> MailScanner Version:4.85.2
>> ClamAV Version:0.99.1 
>> SpamAssassin Version:3.4.0 
>> PHP Version:5.4.16
>> MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)
>> CentOS Linux release 7.2.1511 (Core) 
>> 6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz
>> virtualiced in a Virtuozzo 6.0 CloudServer environment
>>  
>> processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.
>>  
>> After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0
>> Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no
>>  
>> We could anly see such messages with the following log entries:
>> May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from some_address at returns.groups.yahoo.com <mailto:some_address at returns.groups.yahoo.com>
>> May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>> May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from some_address at googlegroups.com <mailto:some_address at googlegroups.com>
>> May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from some_address at csak1utazas.hu <mailto:some_address at csak1utazas.hu>
>> May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>> May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from some_address at paypal.at <mailto:some_address at paypal.at>
>> May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from some_address at billa.at <mailto:some_address at billa.at>
>> May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>> May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from some_address at amazonses.com <mailto:some_address at amazonses.com>
>> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>
>> May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from some_address at xing.com <mailto:some_address at xing.com>
>>  
>> Here are the whole log entris for a particular mail:
>>  
>> May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/>[149.148.224.72]
>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header Received: from mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at/>(mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/> [149.148.224.72])??by mx01.mail.netstorage.at <http://mx01.mail.netstorage.at/> (Postfix) with ESMTPS id EAE58A0DBC??for <some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>>; Fri, 13 May 2016 03 from mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/>[149.148.224.72]; from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>> to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>> proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at/>>
>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com <mailto:8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com>>
>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at <mailto:20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at>>
>> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>
>> May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to D0A8EA15C3
>> May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>>, size=25282, nrcpt=1 (queue active)
>> May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>>, relay=mailfilter01.crossip.net <http://mailfilter01.crossip.net/>[89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)
>> May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed
>>  
>>  
>> We have also done the test for missing Perl extensions, and all are present.
>>  
>> We could catch some of these emails and will directly forward them to Jerry Benton
>>  
>> Mit freundlichen Grüßen,
>> With best regards,
>>  
>> Michael Böttger
>>  
>> 
>> 
>> 
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>> 
> 
> 
> 
>  
> -- 
> Shawn Iverson
> Director of Technology
> Rush County Schools
> 765-932-3901 x271
> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>  
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160513/3ecfa8b2/attachment-0001.html>