Denial Of Service Attack Messages
Mark Sapiro
mark at msapiro.net
Tue May 24 20:59:48 UTC 2016
On 05/24/2016 01:05 PM, Steven Jardine wrote:
> OK. So after upgrading to 5.0.1-2 I am still getting these messages and
> they aren't showing up in any queue.
>
> Here is the log relevant portion of the log:
>
> May 24 13:12:30 mail MailScanner[13527]: New Batch: Scanning 1 messages,
> 3939 bytes
> May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856
> to mbox file [REMOVED]
> May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856
> to mbox file [REMOVED]
> May 24 13:12:30 mail MailScanner[13527]: Saved archive copies of
> u4OJCTNp012856
> May 24 13:12:30 mail MailScanner[13527]: Virus and Content Scanning:
> Starting
> May 24 13:12:31 mail MailScanner[13527]: Expired 1 records from the
> SpamAssassin cache
> May 24 13:12:39 mail MailScanner[13527]: HTML disarming died, status = 13
> May 24 13:12:39 mail MailScanner[13527]: Content Checks: Detected and
> have disarmed KILLED tags in HTML message in u4OJCTNp012856 from [REMOVED]
> May 24 13:12:39 mail MailScanner[13527]: Uninfected: Delivered 1 messages
Does this occur with every message that contains a text/html part or
only occasionally?
The status = 13 is a permission denied error. It is hard to see how this
is occurring because all the child does is read and parse the original
html which was written by the parent and write the disarmed html to a
new file, and pipe some results back to the parent.
If there are problems opening either the original file or the new file,
these are logged with messages like
Could not create disarmed HTML file <name>
and
HTML disarming, can't open file <name>: <status>
which we don't see here, and the pipe was created in the parent, and if
the parent can't create the pipe, it logs a message and dies without
ever forking the child.
That said, if this is a consistent rather than intermittent problem,
there may be some issue with permissions or security policies (SELinux,
apparmor, etc.) with /var/spool/MailScanner/incoming/ or ?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list