Denial Of Service attack

Jason Voorhees jvoorhees1 at gmail.com
Tue Aug 8 19:48:37 UTC 2017 

Thanks for your response Mark. My reply is shown lines below...

> Have you tried
>
> chown postfix:postfix /var/spool/MailScanner
>
No, but can try it now, I'll let you know if this helps.

Does MailScanner need to write or create any file/directory directly
under /var/spool/MailScanner ?

>
> What is the ownership and permissions on /opt/MailScanner/quarantine/ ?
>
>
$ ls -ld /opt/MailScanner/quarantine/
drwxrwxr-x 9 postfix apache 4096 Aug  8 03:16 /opt/MailScanner/quarantine/

$ ls -ld /opt/MailScanner/
drwxr-xr-x 3 root root 4096 Jul 27 11:53 /opt/MailScanner/

By the way... I have a rule to keep a copy of every message (clean,
virus and spam) in quarantine. Does quarantine directory permissions
matter in this DoS attack problem?

>> How can I modify/patch some MailScanner code to show some debug lines
>> when this problem occurs? I even think this is not a SELinux,
>> ownership nor permissions problem... :(
>
>
> What exactly are you seeing? Are you seeing the message
I can't have a copy of the original message that caused the "DoS"
attack because is not being quarantined.

>
>> MailScanner was attacked by a Denial Of Service attack, and has therefore
>> deleted this part of the message. Please contact your e-mail providers
>> for more information if you need it, giving them the whole of this report.
>
> in delivered emails. If so, there should be a message from MailScanner
>
>> HTML disarming died, status = sss
Its code is 13. Log file looks like:

Aug  8 14:24:30 mail MailScanner[34683]: HTML disarming died, status = 13


>
> in the system mail.log giving the reason why the forked disarming
> process died. (These messages come from
> /usr/share/MailScanner/perl/MailScanner/Message.pm around lines 7029-7037.
>
> If you are seeing "Virus Scanning: Denial Of Service attack ..." log
> messages, look at
> /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm around lines
> 480-520. These messages indicate clamd timed out.
>
Ok, $PipeReturn seems to be 13 as shown in log before. However by
reading (and trying to understand perl code) is not clear to me what
causes MailScanner to fail at the HTML disarming phase. I see some
lines that say something about a command (SpamAssassin?) time out, but
I can't understand it very well.

So far I've set "Dangerous Content Scanning = no" to temporarily
"solve" this problem until I have something new to test.

More information about the MailScanner mailing list