MailScanner was attacked by DOS and deletes message body

Yu Wang yuwang at cs.fsu.edu
Tue Apr 9 16:25:23 UTC 2019 

Hello,

In the past month, I have a few users asked me to retrieve email messages deleted by Mailscanner. When I went to the directory listed by Mailscanner, I cannot find the directory and thus cannot retrieve messages for my users.

Here is an example:


From: zzzzz <zzzzzzzzzzzz at riken.jp<mailto:zzzzzzzzzzzz at riken.jp>>
Date: 4/8/19 4:55 AM (GMT-05:00)
To: zzzzzz at cs.fsu.edu
Subject: Re: Internship Application

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html

There was no directory /var/spool/MailScanner/incoming/141905/ on the server (about 5 hours later). I searched '1841B12012B.A4390' under /var/spool/MailScanner and /var/spool/postfix/ and found nothing.

[root at smtpin2 log]# ls -l /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html
ls: cannot access /var/spool/MailScanner/incoming/141905/1841B12012B.A4390/nmsg-141905-20.html: No such file or directory

Maillog entries:


Apr  8 04:55:08 smtpin2 postfix/smtpd[106496]: 1841B12012B: client=zzzzzzz.go.jp[zzzzzzzz]
Apr  8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: hold: header Received: from zzzzzzz.jp (zzzzzzzz.go.jp [zzzzzzzzzzzz])??by smtp.cs.fsu.edu (Postfix) with ESMTP id 1841B12012B??for <zzzzzz at cs.fsu.edu>; Mon,  8 Apr 2019 04:55:07 -0400 (EDT) from zzzz.go.jp[]; from=<zzzzz> to=<zzzzzz at cs.fsu.edu> proto=ESMTP helo=<zzzzz.jp>
Apr  8 04:55:08 smtpin2 postfix/cleanup[143771]: 1841B12012B: message-id=<7A29AFFE-45F6-472F-AE30-A181EB69CBB6 at riken.jp>
Apr  8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: zzzzzzzz.go.jp [zzzzzzz] not internal
Apr  8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: not authenticated
Apr  8 04:55:08 smtpin2 opendkim[79156]: 1841B12012B: no signature data
Apr  8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: SPF(mailfrom): zzzzz.jp pass
Apr  8 04:55:08 smtpin2 opendmarc[64392]: 1841B12012B: riken.jp none
Apr  8 04:55:08 smtpin2 postfix/smtpd[106496]: disconnect from zzzzzzz.go.jp[zzzzzzzz] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Apr  8 04:55:09 smtpin2 MailScanner[141905]: New Batch: Scanning 1 messages, 21869 bytes
Apr  8 04:55:09 smtpin2 MailScanner[141905]: Virus and Content Scanning: Starting
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Whitelist refresh time reached
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Whitelist
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 309 whitelist entries
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Blacklist refresh time reached
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Starting up MailWatch SQL Blacklist
Apr  8 04:55:09 smtpin2 MailScanner[141905]: MailWatch: Read 291 blacklist entries
Apr  8 04:55:14 smtpin2 MailScanner[141905]: HTML disarming died, status = 13
Apr  8 04:55:14 smtpin2 MailScanner[141905]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 1841B12012B.A4390 from zzzzzz at riken.jp
Apr  8 04:55:14 smtpin2 MailScanner[141905]: Requeue: 1841B12012B.A4390 to B30B212012C
Apr  8 04:55:14 smtpin2 MailScanner[141905]: Uninfected: Delivered 1 messages
Apr  8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: from=<zzzzzzzz at riken.jp>, size=20446, nrcpt=1 (queue active)
Apr  8 04:55:14 smtpin2 MailScanner[141905]: Deleted 1 messages from processing-database
Apr  8 04:55:14 smtpin2 postfix/smtp[146430]: Host offered STARTTLS: [zzzzzz.cs.fsu.edu]
Apr  8 04:55:14 smtpin2 postfix/smtp[146430]: B30B212012C: to=<zzzzzz at cs.fsu.edu>, relay=zzzzzz.cs.fsu.edu[]:25, delay=6.8, delays=6.7/0/0/0.01, dsn=2.0.0, status=sent (250 Ok: queued as 3746AF39B1)
Apr  8 04:55:14 smtpin2 postfix/qmgr[33312]: B30B212012C: removed

Also there was no entry for this message under MailWatch's "Message Listing".

I would like to either configure MailScanner to not delete message body or have ability to located the email message and manually send to my users.

Any help would be greatly appreciated.

Thank you.

James Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190409/863744aa/attachment.html>

More information about the MailScanner mailing list