Denial Of Service attack

Mark Sapiro mark at msapiro.net
Tue Aug 8 19:18:55 UTC 2017


On 08/08/2017 11:30 AM, Jason Voorhees wrote:
> 
> $ ls -ld /var/spool/MailScanner
> drwxr-xr-x 5 root root 75 Jul 27 11:53 /var/spool/MailScanner/


Have you tried

chown postfix:postfix /var/spool/MailScanner


> $ ls -ld /var/run/clamd.scan/
> drwx--x--- 2 postfix postfix 80 Aug  8 13:09 /var/run/clamd.scan/
> 
> $ ls -l /var/spool/MailScanner/
> total 0
> drwxrwxr-x  2 postfix postfix   6 Aug 14  2016 archive
> drwxrwx--- 17 postfix postfix 380 Aug  8 13:23 incoming
> lrwxrwxrwx  1 root    root     28 Jul 27 11:53 quarantine ->
> /opt/MailScanner/quarantine/
> drwxrwxr-x  4 postfix postfix  82 Jul 15 11:01 spamassassin


What is the ownership and permissions on /opt/MailScanner/quarantine/ ?


> How can I modify/patch some MailScanner code to show some debug lines
> when this problem occurs? I even think this is not a SELinux,
> ownership nor permissions problem... :(


What exactly are you seeing? Are you seeing the message

> MailScanner was attacked by a Denial Of Service attack, and has therefore
> deleted this part of the message. Please contact your e-mail providers
> for more information if you need it, giving them the whole of this report.

in delivered emails. If so, there should be a message from MailScanner

> HTML disarming died, status = sss

in the system mail.log giving the reason why the forked disarming
process died. (These messages come from
/usr/share/MailScanner/perl/MailScanner/Message.pm around lines 7029-7037.

If you are seeing "Virus Scanning: Denial Of Service attack ..." log
messages, look at
/usr/share/MailScanner/perl/MailScanner/SweepViruses.pm around lines
480-520. These messages indicate clamd timed out.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list