Denial Of Service Attack Messages

Mark Sapiro mark at msapiro.net
Sat May 21 00:45:18 UTC 2016 

On 05/18/2016 12:35 AM, Michael Böttger wrote:
> 
> this ones get disarmed but not quarantined:
> 
> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
> 
> 
> so imho the problem resides somwehre in the code of „killing HTML tags"


I'v looked at the code and what's going on is MailScanner forks a
subprocess to actually parse an HTML part and disarm various tags like
web bugs and things it detects as phishing. It then pipes the HTML to
the subprocess and gets it's response which is the 'disarmed' part and a
list of the things disarmed.

When it logs 'KILLED' it's because the exit code from the subprocess was
non zero.

I have run all 22 messages you sen to Jerry via WeTransfer through my
test MailScanner and they all processed normally and logged things like

May 19 16:58:16 msapiro MailScanner[15286]: Content Checks: Detected and
have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
from ...

So the issue is something outside of the MailScanner code that's causing
these subprocesses to fail.

I suggest you look at the Message.pm module in your MailScanner
installation. At around line 7026, you should see


    my $report = "MailScanner was attacked by a Denial Of Service
attack, and has therefore \ndeleted this part of the message. Please
contact your e-mail providers \nfor more information if you need it,
giving them the whole of this report.\n";
    my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
    $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
    print $outfh $report . "\n\nAttack in: $oldname\n";
    $outfh->close;
    #print STDERR "HTML::Parser was killed by the message, " .
    #             "$newname has been overwritten\n";
    return ('KILLED');
  }

Change the

    return ('KILLED');

line to

    return ('KILLED ' . $PipeReturn);

That will add the subprocess exit code following 'KILLED' in the log
message and may help us understand why the subprocess dies.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list