Denial Of Service Attack Messages

Mon May 23 08:15:40 UTC 2016

Yes it would. The changes are included in MailScanner v5.0.1-2.

-
Jerry Benton
www.mailborder.com

> On May 23, 2016, at 4:00 AM, Andrew Southgate <andy at z00b.com> wrote:
> 
>> So the issue is something outside of the MailScanner code that's causing
> these subprocesses to fail.
> 
> That makes sense with my experience, I have found that if I try to re-send a
> failed message enough times, eventually it gets through, sometimes its the
> second attempt, others might be 4 or 5 attempts. I dont think the message
> contents actually matter other than possibly some kind of minimum complexity
> required.
> 
> I've made the change suggested, i've also added $PipeReturn to $report since
> its usually easier for me to see the email than go hunt logs, does
> MailScanner need restarted after editing these files to see the changes?
> 
> 
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
> Of Mark Sapiro
> Sent: 21 May 2016 01:45
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Denial Of Service Attack Messages
> 
> On 05/18/2016 12:35 AM, Michael Böttger wrote:
>> 
>> this ones get disarmed but not quarantined:
>> 
>> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and 
>> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
>> 
>> 
>> so imho the problem resides somwehre in the code of „killing HTML tags"
> 
> 
> I'v looked at the code and what's going on is MailScanner forks a subprocess
> to actually parse an HTML part and disarm various tags like web bugs and
> things it detects as phishing. It then pipes the HTML to the subprocess and
> gets it's response which is the 'disarmed' part and a list of the things
> disarmed.
> 
> When it logs 'KILLED' it's because the exit code from the subprocess was non
> zero.
> 
> I have run all 22 messages you sen to Jerry via WeTransfer through my test
> MailScanner and they all processed normally and logged things like
> 
> May 19 16:58:16 msapiro MailScanner[15286]: Content Checks: Detected and
> have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
> from ...
> 
> So the issue is something outside of the MailScanner code that's causing
> these subprocesses to fail.
> 
> I suggest you look at the Message.pm module in your MailScanner
> installation. At around line 7026, you should see
> 
> 
>    my $report = "MailScanner was attacked by a Denial Of Service attack,
> and has therefore \ndeleted this part of the message. Please contact your
> e-mail providers \nfor more information if you need it, giving them the
> whole of this report.\n";
>    my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
>    $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
>    print $outfh $report . "\n\nAttack in: $oldname\n";
>    $outfh->close;
>    #print STDERR "HTML::Parser was killed by the message, " .
>    #             "$newname has been overwritten\n";
>    return ('KILLED');
>  }
> 
> Change the
> 
>    return ('KILLED');
> 
> line to
> 
>    return ('KILLED ' . $PipeReturn);
> 
> That will add the subprocess exit code following 'KILLED' in the log message
> and may help us understand why the subprocess dies.
> 
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 