Denial Of Service Attack Messages

Jerry Benton jerry.benton at mailborder.com
Wed May 18 15:49:57 UTC 2016


Ok, thanks. 

-
Jerry Benton
www.mailborder.com



> On May 18, 2016, at 11:19 AM, Michael Böttger <michael.boettger at crossip.net> wrote:
> 
> Hello Jerry,
> 
> cought about 20 messages now via „Archive Mail“.  I’ll send a complete zip directly to you via wetransfer.com
> 
> Mit freundlichen Grüßen,
> With best regards,
>  
> Michael Böttger
> product and strategy management
>> <logo.2013.11_hori[4].png>
> Besondere Ansprüche. Individuelle Lösungen.
> Particular demands. Individual solutions.
> crossip communications gmbh
> A-1020 Wien, Wohlmutstrasse 27
> Sitz der Gesellschaft: 1020 Wien, Österreich
> Firmenbuchgericht: Handelsgericht Wien, FN 269698 s, Umsatzsteueridentifikationsnummer (UID): ATU62080367
>  
> Haftungsausschluss / Disclaimer: http://www.crossip.net/de/legal/haftungsausschluss-disclaimer <file:///Users/mibo/Documents/%23WORK%23/crossip.net/redir.aspx?C=jZ3Qxp1AeEmJ7BNJzMvkKFjE2w-LvdEI3TVxtTY3tmJvxeHfhTg9FM_3NLuRfbqGG31e0CyIdhQ.&URL=http%3a%2f%2fwww.crossip.net%2fde%2flegal%2fhaftungsausschluss-disclaimer>
> 
> Von: Michael Böttger
> Antworten an: MailScanner Discussion
> Datum: Mittwoch, 18. Mai 2016 09:35
> An: MailScanner Discussion
> Betreff: Re: Denial Of Service Attack Messages
> 
> Hello Jerry,
> 
> I have checked various limits and could not find any probles, after reenabling „Dangerous Content Scanning“, again some messages got disarmed and were not moved to the quarantine.
> 
> I’ll no enable full mail archiving to catch some of the original messages.
> 
> this messages work ok: 
> May 17 18:52:05 mx02 MailScanner[11088]: Content Checks: Fixed awkward MIME boundary for Cyrus IMAP server in 26338A6693.AEBA3
> 
> this ones get disarmed but not quarantined:
> 
> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 66D40A1381.A1920
> 
> so imho the problem resides somwehre in the code of „killing HTML tags"
> 
> keep you posted.
> 
> Mit freundlichen Grüßen,
> With best regards,
>  
> Michael Böttger
> product and strategy management
>> <logo.2013.11_hori[4][15].png>
> Besondere Ansprüche. Individuelle Lösungen.
> Particular demands. Individual solutions.
> crossip communications gmbh
> A-1020 Wien, Wohlmutstrasse 27
> Sitz der Gesellschaft: 1020 Wien, Österreich
> Firmenbuchgericht: Handelsgericht Wien, FN 269698 s, Umsatzsteueridentifikationsnummer (UID): ATU62080367
>  
> Haftungsausschluss / Disclaimer: http://www.crossip.net/de/legal/haftungsausschluss-disclaimer <file:///Users/mibo/Documents/%23WORK%23/crossip.net/redir.aspx?C=jZ3Qxp1AeEmJ7BNJzMvkKFjE2w-LvdEI3TVxtTY3tmJvxeHfhTg9FM_3NLuRfbqGG31e0CyIdhQ.&URL=http%3a%2f%2fwww.crossip.net%2fde%2flegal%2fhaftungsausschluss-disclaimer>
> 
> Von: Jerry Benton
> Antworten an: MailScanner Discussion
> Datum: Freitag, 13. Mai 2016 21:53
> An: MailScanner Discussion
> Betreff: Re: Denial Of Service Attack Messages
> 
> It is possible that the number of files in limits.conf needs to be expanded. If you are already near the system default limit, then a message that requires a number of additional handles open could cause an error. But I am not sure if this is really the case.
> 
> I need to see the raw source of a message that caused the problem as well as the portion that MailScanner is removing. 
> 
> -
> Jerry Benton
> www.mailborder.com <http://www.mailborder.com/>
> 
> 
> 
>> On May 13, 2016, at 2:07 PM, Andy Southgate <andy at z00b.com <mailto:andy at z00b.com>> wrote:
>> 
>> Well in my case the server has an extremely light load, a handful of domains with 5 users total. Fairly high proportion of spam in some cases but still pretty puny. 
>>  
>> Server is a low powered 32gb ram, 8x atom core home server, with mailscanner running under a VM and given 3 cores and 8gb ram and I’ve certainly never noticed it stressed but it was a new build with mailscanner 4.85.2 installed. It replaced an old dual core p4 running an ancient install of mailscanner with the same domain setup fine.
>>  
>> I’m not sure if one commonality across all of us having the issue is running mailscanner under a VM?
>>  
>>  
>> From: MailScanner [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info <mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info>] On Behalf Of Shawn Iverson
>> Sent: 13 May 2016 18:27
>> To: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>>
>> Subject: Re: Denial Of Service Attack Messages
>>  
>> I have been watching this DoS stuff now for a while.
>>  
>> I am wondering if this issue is triggered during high load (similar to an actual DoS)
>>  
>> Would it be possible to set up a MailScanner test environment and do a load bearing test against mailscanner?  Perhaps just an MTA with a script to send massive amounts of mail to a mailscanner instance?
>>  
>> I want to get to the bottom of this.
>>  
>>  
>>  
>> On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <michael.boettger at crossip.net <mailto:michael.boettger at crossip.net>> wrote:
>>>  
>>> Hello,
>>>  
>>> we are currently running MailScanner in combination with the following setup:
>>>  
>>> MailWatch Version:1.2.0 - RC1 DEV
>>> MailScanner Version:4.85.2
>>> ClamAV Version:0.99.1 
>>> SpamAssassin Version:3.4.0 
>>> PHP Version:5.4.16
>>> MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)
>>> CentOS Linux release 7.2.1511 (Core) 
>>> 6 Core Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz
>>> virtualiced in a Virtuozzo 6.0 CloudServer environment
>>>  
>>> processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.
>>>  
>>> After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0
>>> Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no
>>>  
>>> We could anly see such messages with the following log entries:
>>> May 13 02:30:02 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from some_address at returns.groups.yahoo.com <mailto:some_address at returns.groups.yahoo.com>
>>> May 13 02:30:23 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>>> May 13 02:33:04 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from some_address at googlegroups.com <mailto:some_address at googlegroups.com>
>>> May 13 02:42:27 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from some_address at csak1utazas.hu <mailto:some_address at csak1utazas.hu>
>>> May 13 02:53:05 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>>> May 13 03:16:25 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from some_address at paypal.at <mailto:some_address at paypal.at>
>>> May 13 03:23:18 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from some_address at billa.at <mailto:some_address at billa.at>
>>> May 13 03:34:55 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from some_address at coldiretti.it <mailto:some_address at coldiretti.it>
>>> May 13 03:37:06 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from some_address at amazonses.com <mailto:some_address at amazonses.com>
>>> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>
>>> May 13 03:57:43 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from some_address at xing.com <mailto:some_address at xing.com>
>>>  
>>> Here are the whole log entris for a particular mail:
>>>  
>>> May 13 03:46:23 mx01 postfix/smtpd[29099]: EAE58A0DBC: client=mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/>[149.148.224.72]
>>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: hold: header Received: from mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at/>(mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/> [149.148.224.72])??by mx01.mail.netstorage.at <http://mx01.mail.netstorage.at/> (Postfix) with ESMTPS id EAE58A0DBC??for <some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>>; Fri, 13 May 2016 03 from mail.meduniwien.ac.at <http://mail.meduniwien.ac.at/>[149.148.224.72]; from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>> to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>> proto=ESMTP helo=<mailfp2.srv.meduniwien.ac.at <http://mailfp2.srv.meduniwien.ac.at/>>
>>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: message-id=<8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com <mailto:8b7eb9021b7f725b13b26feb1fd22385 at mlgns.com>>
>>> May 13 03:46:23 mx01 postfix/cleanup[29649]: EAE58A0DBC: resent-message-id=<20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at <mailto:20160513014548.2CFA8EE2DE at mail.vu-wien.ac.at>>
>>> May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>
>>> May 13 03:46:35 mx01 MailScanner[25323]: Requeue: EAE58A0DBC.A86E2 to D0A8EA15C3
>>> May 13 03:46:35 mx01 postfix/qmgr[27970]: D0A8EA15C3: from=<some_address at vetmeduni.ac.at <mailto:some_address at vetmeduni.ac.at>>, size=25282, nrcpt=1 (queue active)
>>> May 13 03:46:36 mx01 postfix/smtp[29822]: D0A8EA15C3: to=<some_address at jensen-jarolim.at <mailto:some_address at jensen-jarolim.at>>, relay=mailfilter01.crossip.net <http://mailfilter01.crossip.net/>[89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)
>>> May 13 03:46:36 mx01 postfix/qmgr[27970]: D0A8EA15C3: removed
>>>  
>>>  
>>> We have also done the test for missing Perl extensions, and all are present.
>>>  
>>> We could catch some of these emails and will directly forward them to Jerry Benton
>>>  
>>> Mit freundlichen Grüßen,
>>> With best regards,
>>>  
>>> Michael Böttger
>>>  
>>> 
>>> 
>>> 
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
>>> 
>> 
>> 
>> 
>>  
>> -- 
>> Shawn Iverson
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 x271
>> iversons at rushville.k12.in.us <mailto:iversons at rushville.k12.in.us>
>>  
>> 
>> 
>> 
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>> http://lists.mailscanner.info/listinfo/mailscanner <http://lists.mailscanner.info/listinfo/mailscanner>
> <logo.2013.11_hori[4][15].png>
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160518/3d78116c/attachment-0001.html>


More information about the MailScanner mailing list