Denial Of Service Attack Messages
jerry.benton at mailborder.com
Sat May 21 00:51:32 UTC 2016
It might even be a good idea to add that permanently to the source. (Or log it somehow.)
> On May 20, 2016, at 8:45 PM, Mark Sapiro <mark at msapiro.net> wrote:
> On 05/18/2016 12:35 AM, Michael Böttger wrote:
>> this ones get disarmed but not quarantined:
>> May 18 02:25:02 mx02 MailScanner: Content Checks: Detected and
>> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
>> so imho the problem resides somwehre in the code of „killing HTML tags"
> I'v looked at the code and what's going on is MailScanner forks a
> subprocess to actually parse an HTML part and disarm various tags like
> web bugs and things it detects as phishing. It then pipes the HTML to
> the subprocess and gets it's response which is the 'disarmed' part and a
> list of the things disarmed.
> When it logs 'KILLED' it's because the exit code from the subprocess was
> non zero.
> I have run all 22 messages you sen to Jerry via WeTransfer through my
> test MailScanner and they all processed normally and logged things like
> May 19 16:58:16 msapiro MailScanner: Content Checks: Detected and
> have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
> from ...
> So the issue is something outside of the MailScanner code that's causing
> these subprocesses to fail.
> I suggest you look at the Message.pm module in your MailScanner
> installation. At around line 7026, you should see
> my $report = "MailScanner was attacked by a Denial Of Service
> attack, and has therefore \ndeleted this part of the message. Please
> contact your e-mail providers \nfor more information if you need it,
> giving them the whole of this report.\n";
> my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
> $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
> print $outfh $report . "\n\nAttack in: $oldname\n";
> #print STDERR "HTML::Parser was killed by the message, " .
> # "$newname has been overwritten\n";
> return ('KILLED');
> Change the
> return ('KILLED');
> line to
> return ('KILLED ' . $PipeReturn);
> That will add the subprocess exit code following 'KILLED' in the log
> message and may help us understand why the subprocess dies.
> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
More information about the MailScanner