Denial Of Service Attack Messages

Jerry Benton jerry.benton at mailborder.com
Sat May 21 00:51:32 UTC 2016


It might even be a good idea to add that permanently to the source. (Or log it somehow.)

-
Jerry Benton
www.mailborder.com



> On May 20, 2016, at 8:45 PM, Mark Sapiro <mark at msapiro.net> wrote:
> 
> On 05/18/2016 12:35 AM, Michael Böttger wrote:
>> 
>> this ones get disarmed but not quarantined:
>> 
>> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and
>> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
>> 
>> 
>> so imho the problem resides somwehre in the code of „killing HTML tags"
> 
> 
> I'v looked at the code and what's going on is MailScanner forks a
> subprocess to actually parse an HTML part and disarm various tags like
> web bugs and things it detects as phishing. It then pipes the HTML to
> the subprocess and gets it's response which is the 'disarmed' part and a
> list of the things disarmed.
> 
> When it logs 'KILLED' it's because the exit code from the subprocess was
> non zero.
> 
> I have run all 22 messages you sen to Jerry via WeTransfer through my
> test MailScanner and they all processed normally and logged things like
> 
> May 19 16:58:16 msapiro MailScanner[15286]: Content Checks: Detected and
> have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
> from ...
> 
> So the issue is something outside of the MailScanner code that's causing
> these subprocesses to fail.
> 
> I suggest you look at the Message.pm module in your MailScanner
> installation. At around line 7026, you should see
> 
> 
>    my $report = "MailScanner was attacked by a Denial Of Service
> attack, and has therefore \ndeleted this part of the message. Please
> contact your e-mail providers \nfor more information if you need it,
> giving them the whole of this report.\n";
>    my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
>    $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
>    print $outfh $report . "\n\nAttack in: $oldname\n";
>    $outfh->close;
>    #print STDERR "HTML::Parser was killed by the message, " .
>    #             "$newname has been overwritten\n";
>    return ('KILLED');
>  }
> 
> Change the
> 
>    return ('KILLED');
> 
> line to
> 
>    return ('KILLED ' . $PipeReturn);
> 
> That will add the subprocess exit code following 'KILLED' in the log
> message and may help us understand why the subprocess dies.
> 
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 



More information about the MailScanner mailing list