Denial Of Service Attack Messages

Steven Jardine steve at mjnservices.com
Tue May 24 20:05:36 UTC 2016


OK.  So after upgrading to 5.0.1-2 I am still getting these messages and 
they aren't showing up in any queue.

Here is the log relevant portion of the log:

May 24 13:12:30 mail MailScanner[13527]: New Batch: Scanning 1 messages, 
3939 bytes
May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856 
to mbox file [REMOVED]
May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856 
to mbox file [REMOVED]
May 24 13:12:30 mail MailScanner[13527]: Saved archive copies of 
u4OJCTNp012856
May 24 13:12:30 mail MailScanner[13527]: Virus and Content Scanning: 
Starting
May 24 13:12:31 mail MailScanner[13527]: Expired 1 records from the 
SpamAssassin cache
May 24 13:12:39 mail MailScanner[13527]: HTML disarming died, status = 13
May 24 13:12:39 mail MailScanner[13527]: Content Checks: Detected and 
have disarmed KILLED tags in HTML message in u4OJCTNp012856 from [REMOVED]
May 24 13:12:39 mail MailScanner[13527]: Uninfected: Delivered 1 messages

Thanks!

Steven Jardine
Vice President
MJN Services, Inc.
801-705-9030 x102

On 05/23/2016 02:15 AM, Jerry Benton wrote:
> Yes it would. The changes are included in MailScanner v5.0.1-2.
>
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On May 23, 2016, at 4:00 AM, Andrew Southgate <andy at z00b.com> wrote:
>>
>>> So the issue is something outside of the MailScanner code that's causing
>> these subprocesses to fail.
>>
>> That makes sense with my experience, I have found that if I try to re-send a
>> failed message enough times, eventually it gets through, sometimes its the
>> second attempt, others might be 4 or 5 attempts. I dont think the message
>> contents actually matter other than possibly some kind of minimum complexity
>> required.
>>
>> I've made the change suggested, i've also added $PipeReturn to $report since
>> its usually easier for me to see the email than go hunt logs, does
>> MailScanner need restarted after editing these files to see the changes?
>>
>>
>> -----Original Message-----
>> From: MailScanner
>> [mailto:mailscanner-bounces+andy=z00b.com at lists.mailscanner.info] On Behalf
>> Of Mark Sapiro
>> Sent: 21 May 2016 01:45
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: Denial Of Service Attack Messages
>>
>> On 05/18/2016 12:35 AM, Michael Böttger wrote:
>>> this ones get disarmed but not quarantined:
>>>
>>> May 18 02:25:02 mx02 MailScanner[7686]: Content Checks: Detected and
>>> have disarmed KILLED tags in HTML message in 66D40A1381.A1920
>>>
>>>
>>> so imho the problem resides somwehre in the code of „killing HTML tags"
>>
>> I'v looked at the code and what's going on is MailScanner forks a subprocess
>> to actually parse an HTML part and disarm various tags like web bugs and
>> things it detects as phishing. It then pipes the HTML to the subprocess and
>> gets it's response which is the 'disarmed' part and a list of the things
>> disarmed.
>>
>> When it logs 'KILLED' it's because the exit code from the subprocess was non
>> zero.
>>
>> I have run all 22 messages you sen to Jerry via WeTransfer through my test
>> MailScanner and they all processed normally and logged things like
>>
>> May 19 16:58:16 msapiro MailScanner[15286]: Content Checks: Detected and
>> have disarmed phishing, web bug tags in HTML message in AD524A46FC.A1033
>> from ...
>>
>> So the issue is something outside of the MailScanner code that's causing
>> these subprocesses to fail.
>>
>> I suggest you look at the Message.pm module in your MailScanner
>> installation. At around line 7026, you should see
>>
>>
>>     my $report = "MailScanner was attacked by a Denial Of Service attack,
>> and has therefore \ndeleted this part of the message. Please contact your
>> e-mail providers \nfor more information if you need it, giving them the
>> whole of this report.\n";
>>     my $report2 = MailScanner::Config::LanguageValue(0, 'htmlparserattack');
>>     $report = $report2 if $report2 && $report2 ne 'htmlparserattack';
>>     print $outfh $report . "\n\nAttack in: $oldname\n";
>>     $outfh->close;
>>     #print STDERR "HTML::Parser was killed by the message, " .
>>     #             "$newname has been overwritten\n";
>>     return ('KILLED');
>>   }
>>
>> Change the
>>
>>     return ('KILLED');
>>
>> line to
>>
>>     return ('KILLED ' . $PipeReturn);
>>
>> That will add the subprocess exit code following 'KILLED' in the log message
>> and may help us understand why the subprocess dies.
>>
>> -- 
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>



IMPORTANT: This email does not constitute a contract or an offer of acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms. MJN Services, Inc. conducts business under our service terms and conditions found at www.mjnservices.com unless otherwise agreed to in writing by an officer of MJN Services, Inc. 



More information about the MailScanner mailing list