Denial Of Service Attack Messages

Andrew Southgate andy at z00b.com
Mon May 23 08:00:28 UTC 2016 

> So the issue is something outside of the MailScanner code that's causing
these subprocesses to fail.

That makes sense with my experience, I have found that if I try to re-send a
failed message enough times, eventually it gets through, sometimes its the
second attempt, others might be 4 or 5 attempts. I dont think the message
contents actually matter other than possibly some kind of minimum complexity
required.

I've made the change suggested, i've also added $PipeReturn to $report since
its usually easier for me to see the email than go hunt logs, does
MailScanner need restarted after editing these files to see the changes?


-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
Of Mark Sapiro
Sent: 21 May 2016 01:45
To: mailscanner at lists.mailscanner.info
Subject: Re: Denial Of Service Attack Messages

On 05/18/2016 12:35 AM, Michael Böttger wrote:
> 
> this ones get disarmed but not quarantined:
> 
> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and 
> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
> 
> 
> so imho the problem resides somwehre in the code of „killing HTML tags"


I'v looked at the code and what's going on is MailScanner forks a subprocess
to actually parse an HTML part and disarm various tags like web bugs and
things it detects as phishing. It then pipes the HTML to the subprocess and
gets it's response which is the 'disarmed' part and a list of the things
disarmed.

When it logs 'KILLED' it's because the exit code from the subprocess was non
zero.

I have run all 22 messages you sen to Jerry via WeTransfer through my test
MailScanner and they all processed normally and logged things like

May 19 16:58:16 msapiro MailScanner[15286]: Content Checks: Detected and
have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
from ...

So the issue is something outside of the MailScanner code that's causing
these subprocesses to fail.

I suggest you look at the Message.pm module in your MailScanner
installation. At around line 7026, you should see


    my $report = "MailScanner was attacked by a Denial Of Service attack,
and has therefore \ndeleted this part of the message. Please contact your
e-mail providers \nfor more information if you need it, giving them the
whole of this report.\n";
    my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
    $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
    print $outfh $report . "\n\nAttack in: $oldname\n";
    $outfh->close;
    #print STDERR "HTML::Parser was killed by the message, " .
    #             "$newname has been overwritten\n";
    return ('KILLED');
  }

Change the

    return ('KILLED');

line to

    return ('KILLED ' . $PipeReturn);

That will add the subprocess exit code following 'KILLED' in the log message
and may help us understand why the subprocess dies.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner

More information about the MailScanner mailing list