Denial Of Service attack

Mark Sapiro mark at msapiro.net
Tue Aug 8 22:49:06 UTC 2017 

On 08/08/2017 12:48 PM, Jason Voorhees wrote:
>>
>> What is the ownership and permissions on /opt/MailScanner/quarantine/ ?
>>
>>
> $ ls -ld /opt/MailScanner/quarantine/
> drwxrwxr-x 9 postfix apache 4096 Aug  8 03:16 /opt/MailScanner/quarantine/


I'm not sure if the group apache is an issue. It shouldn't be, but the
whole thing is a mystery to me so who knows?

Is this set to apache because of MailWatch or something similar? If so,
maybe this is a MailWatch issue.


> $ ls -ld /opt/MailScanner/
> drwxr-xr-x 3 root root 4096 Jul 27 11:53 /opt/MailScanner/
> 
> By the way... I have a rule to keep a copy of every message (clean,
> virus and spam) in quarantine. Does quarantine directory permissions
> matter in this DoS attack problem?


Possibly?



> Its code is 13. Log file looks like:
> 
> Aug  8 14:24:30 mail MailScanner[34683]: HTML disarming died, status = 13
...
>>
> Ok, $PipeReturn seems to be 13 as shown in log before.


And that means that the child process that was forked by
MailScanner/Message.pm to actually do the disarming died for "no permission"

> However by
> reading (and trying to understand perl code) is not clear to me what
> causes MailScanner to fail at the HTML disarming phase. I see some
> lines that say something about a command (SpamAssassin?) time out, but
> I can't understand it very well.


That's not relevant here. What is going on here is the disarming of
phishing tags. The child is parsing the HTML and has various callbacks
to do things when HTML tags are encountered.

It is not at all clear to me what is going on here. If the child can't
create the file for the disarmed HTML, it should log "Could not create
disarmed HTML file NAME" and exit with status 1, and if for some reason
it can't open the original HTML, it should log "HTML disarming, can't
open file NAME: ERROR"

It seems the only other possibility seems to be the child dies trying to
pipe the results back to the parent.

All I can suggest is you try to add more logging in the child's code at
lines 6916 - 6961 in MailScanner/Message.pm to try to pinpoint where the
failure occurs, and also look at the callback functions
DisarmTextCallback, DisarmTagCallback and DisarmEndtagCallback.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list