Denial Of Service Attack Messages

[Michael Böttger]

Hello Jerry,

I have checked various limits and could not find any probles, after reenabling „Dangerous Content Scanning“, again some messages got disarmed and were not moved to the quarantine.

I’ll no enable full mail archiving to catch some of the original messages.

this messages work ok:
May 17 18:52:05 mx02 MailScanner[11088]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 26338A6693.AEBA3

this ones get disarmed but not quarantined:


May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 66D40A1381.A1920


so imho the problem resides somwehre in the code of „killing HTML tags"

keep you posted.

Mit freundlichen Grüßen,
With best regards,

Michael Böttger
product and strategy management
—
[cid:F3E60DA2-B27B-4CF3-ADA7-24DFFF0034F9]
Besondere Ansprüche. Individuelle Lösungen.
Particular demands. Individual solutions.
crossip communications gmbh
A-1020 Wien, Wohlmutstrasse 27
Sitz der Gesellschaft: 1020 Wien, Österreich
Firmenbuchgericht: Handelsgericht Wien, FN 269698 s, Umsatzsteueridentifikationsnummer (UID): ATU62080367

Haftungsausschluss / Disclaimer: http://www.crossip.net/de/legal/haftungsausschluss-disclaimer<file:///Users/mibo/Documents/%23WORK%23/crossip.net/redir.aspx?C=jZ3Qxp1AeEmJ7BNJzMvkKFjE2w-LvdEI3TVxtTY3tmJvxeHfhTg9FM_3NLuRfbqGG31e0CyIdhQ.&URL=http%3a%2f%2fwww.crossip.net%2fde%2flegal%2fhaftungsausschluss-disclaimer>

Von: Jerry Benton
Antworten an: MailScanner Discussion
Datum: Freitag, 13. Mai 2016 21:53
An: MailScanner Discussion
Betreff: Re: Denial Of Service Attack Messages

It is possible that the number of files in limits.conf needs to be expanded. If you are already near the system default limit, then a message that requires a number of additional handles open could cause an error. But I am not sure if this is really the case.

I need to see the raw source of a message that caused the problem as well as the portion that MailScanner is removing.

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>



On May 13, 2016, at 2:07 PM, Andy Southgate <andy at z00b.com<mailto:andy at z00b.com>> wrote:

Well in my case the server has an extremely light load, a handful of domains with 5 users total. Fairly high proportion of spam in some cases but still pretty puny.

Server is a low powered 32gb ram, 8x atom core home server, with mailscanner running under a VM and given 3 cores and 8gb ram and I’ve certainly never noticed it stressed but it was a new build with mailscanner 4.85.2 installed. It replaced an old dual core p4 running an ancient install of mailscanner with the same domain setup fine.

I’m not sure if one commonality across all of us having the issue is running mailscanner under a VM?


From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: 13 May 2016 18:27
To: MailScanner Discussion <mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>>
Subject: Re: Denial Of Service Attack Messages

I have been watching this DoS stuff now for a while.

I am wondering if this issue is triggered during high load (similar to an actual DoS)

Would it be possible to set up a MailScanner test environment and do a load bearing test against mailscanner?  Perhaps just an MTA with a script to send massive amounts of mail to a mailscanner instance?

I want to get to the bottom of this.



On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <michael.boettger at crossip.net<mailto:michael.boettger at crossip.net>> wrote:

Hello,

we are currently running MailScanner in combination with the following setup:

MailWatch Version:1.2.0 - RC1 DEV
MailScanner Version:4.85.2
ClamAV Version:0.99.1
SpamAssassin Version:3.4.0
PHP Version:5.4.16
MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)
CentOS Linux release 7.2.1511 (Core)
6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz
virtualiced in a Virtuozzo 6.0 CloudServer environment

processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.

After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0
Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no

We could anly see such messages with the following log entries:
May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from some_address at returns.groups.yahoo.com<mailto:some_address at returns.groups.yahoo.com>
May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from some_address at coldiretti.it<mailto:some_address at coldiretti.it>
May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from some_address at googlegroups.com<mailto:some_address at googlegroups.com>
May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from some_address at csak1utazas.hu<mailto:some_address at csak1utazas.hu>
May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from some_address at coldiretti.it<mailto:some_address at coldiretti.it>
May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from some_address at paypal.at<mailto:some_address at paypal.at>
May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from some_address at billa.at<mailto:some_address at billa.at>
May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from some_address at coldiretti.it<mailto:some_address at coldiretti.it>
May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from some_address at amazonses.com<mailto:some_address at amazonses.com>
May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at<mailto:some_address at vetmeduni.ac.at>
May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from some_address at xing.com<mailto:some_address at xing.com>

Here are the whole log entris for a particular mail:

May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=mail.meduniwien.ac.at<http://mail.meduniwien.ac.at/>[149.148.224.72]
May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header Received: from mailfp2.srv.meduniwien.ac.at<http://mailfp2.srv.meduniwien.ac.at/>(mail.meduniwien.ac.at<http://mail.meduniwien.ac.at/> [149.148.224.72])??by mx01.mail.netstorage.at<http://mx01.mail.netstorage.at/> (Postfix) with ESMTPS id EAE58A0DBC??for <some_address at jensen-jarolim.at<mailto:some_address at jensen-jarolim.at>>; Fri, 13 May 2016 03 from mail.meduniwien.ac.at<http://mail.meduniwien.ac.at/>[149.148.224.72]; from=<some_address at vetmeduni.ac.at<mailto:some_address at vetmeduni.ac.at>> to=<some_address at jensen-jarolim.at<mailto:some_address at jensen-jarolim.at>> proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at<http://mailfp2.srv.meduniwien.ac.at/>>
May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com<mailto:8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com>>
May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at<mailto:20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at>>
May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at<mailto:some_address at vetmeduni.ac.at>
May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to D0A8EA15C3
May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<some_address at vetmeduni.ac.at<mailto:some_address at vetmeduni.ac.at>>, size=25282, nrcpt=1 (queue active)
May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<some_address at jensen-jarolim.at<mailto:some_address at jensen-jarolim.at>>, relay=mailfilter01.crossip.net<http://mailfilter01.crossip.net/>[89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)
May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed


We have also done the test for missing Perl extensions, and all are present.

We could catch some of these emails and will directly forward them to Jerry Benton

Mit freundlichen Grüßen,
With best regards,

Michael Böttger




--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner




--
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

[https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ]


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160518/02fb4bd1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.2013.11_hori[4][15].png
Type: image/png
Size: 7190 bytes
Desc: logo.2013.11_hori[4][15].png
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160518/02fb4bd1/attachment.png>