Denial Of Service Attack Messages

Steven Jardine steve at mjnservices.com
Tue May 24 21:27:58 UTC 2016 

I would say that 25% of the disarm messages were

Content Checks: Detected and have disarmed KILLED tags in HTML message...

and they produced the Denial Of Service Attack messages.

The others look like this:

Content Checks: Detected and have disarmed phishing tags in HTML message ...

I have no idea why there would be any kind of permission error.  If my 
permissions weren't set right I would be having all kinds of errors, right?

Thanks!
Steve



On 05/24/2016 02:59 PM, Mark Sapiro wrote:
> On 05/24/2016 01:05 PM, Steven Jardine wrote:
>> OK.  So after upgrading to 5.0.1-2 I am still getting these messages and
>> they aren't showing up in any queue.
>>
>> Here is the log relevant portion of the log:
>>
>> May 24 13:12:30 mail MailScanner[13527]: New Batch: Scanning 1 messages,
>> 3939 bytes
>> May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856
>> to mbox file [REMOVED]
>> May 24 13:12:30 mail MailScanner[13527]: Archived message u4OJCTNp012856
>> to mbox file [REMOVED]
>> May 24 13:12:30 mail MailScanner[13527]: Saved archive copies of
>> u4OJCTNp012856
>> May 24 13:12:30 mail MailScanner[13527]: Virus and Content Scanning:
>> Starting
>> May 24 13:12:31 mail MailScanner[13527]: Expired 1 records from the
>> SpamAssassin cache
>> May 24 13:12:39 mail MailScanner[13527]: HTML disarming died, status = 13
>> May 24 13:12:39 mail MailScanner[13527]: Content Checks: Detected and
>> have disarmed KILLED tags in HTML message in u4OJCTNp012856 from [REMOVED]
>> May 24 13:12:39 mail MailScanner[13527]: Uninfected: Delivered 1 messages
>
> Does this occur with every message that contains a text/html part or
> only occasionally?
>
> The status = 13 is a permission denied error. It is hard to see how this
> is occurring because all the child does is read and parse the original
> html which was written by the parent and write the disarmed html to a
> new file, and pipe some results back to the parent.
>
> If there are problems opening either the original file or the new file,
> these are logged with messages like
>
> Could not create disarmed HTML file <name>
> and
> HTML disarming, can't open file <name>: <status>
>
> which we don't see here, and the pipe was created in the parent, and if
> the parent can't create the pipe, it logs a message and dies without
> ever forking the child.
>
> That said, if this is a consistent rather than intermittent problem,
> there may be some issue with permissions or security policies (SELinux,
> apparmor, etc.) with /var/spool/MailScanner/incoming/ or ?
>



IMPORTANT: This email does not constitute a contract or an offer of acceptance of an offer to enter into a contract.  Further, this email may not be used to modify, supplement, novate, or waive any rights with respect to an existing contract or other binding commercial terms. MJN Services, Inc. conducts business under our service terms and conditions found at www.mjnservices.com unless otherwise agreed to in writing by an officer of MJN Services, Inc.

More information about the MailScanner mailing list