From ferry at vanaesch.com Tue Jun 16 10:39:04 2020 From: ferry at vanaesch.com (Ferry van Aesch) Date: Tue, 16 Jun 2020 10:39:04 +0000 Subject: HTML disarming died, status = 13 Message-ID: Hi, I?m being bitten by the below, and after trawling through the mailing list the consensus seems to be that this is a permissions issue, but there?s not really a clear root cause or fix. I don?t have apparmor or SELinux running, and I?m pretty sure all permissions are healthy. Furthermore, when I take the quarantined message, and send it again through the system (from a remote machine through SMTP, just to be sure it follows the same path), the message goes through just fine, which I find somewhat baffling. Jun 16 11:09:12 nb postfix/smtpd[29310]: disconnect from mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Jun 16 11:09:13 nb MailScanner[10436]: New Batch: Scanning 1 messages, 26430 bytes Jun 16 11:09:13 nb MailScanner[10436]: Virus and Content Scanning: Starting Jun 16 11:09:13 nb MailScanner[10436]: Expired 1 records from the SpamAssassin cache Jun 16 11:09:19 nb MailScanner[10436]: HTML disarming died, status = 13 Jun 16 11:09:19 nb MailScanner[10436]: Content Checks: Detected and have disarmed web bug, denialofservice tags in HTML message in 1C8987C093A.AEDFB from bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92 at mail.wish.com Jun 16 11:09:19 nb MailScanner[10436]: Quarantined message 1C8987C093A.AEDFB as it caused MailScanner to crash several times Jun 16 11:09:19 nb MailScanner[10436]: Saved entire message to /var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB I?m running a fairly standard setup, with just clamav and spamassassin, latest version from MailScanner-5.3.3-1.noarch.deb, on a relatively fresh Ubuntu 18.04LTS VPS. This comes back clean as well: root at nb:/usr/src# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 1500 hostnames from the phishing whitelist Read 7181 hostnames from the phishing blacklists Config: calling custom init function MailWatchLogging Started SQL Logging child Checking version numbers... Version number in MailScanner.conf (5.3.3) is correct. Your envelope_sender_header in spamassassin.conf is correct. MailScanner setting GID to (1000) MailScanner setting UID to (108) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Auto: Found virus scanners: clamd Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Win.Test.EICAR_HDB-1 :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Win.Test.EICAR_HDB-1" If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging It?s a very quiet server hosting a couple of private domains (throughput is just over 100 emails/day), and the VPS has 4 cores and 8GB available to it (guaranteed no memory issues here), and ample SSD space: total used free shared buff/cache available Mem: 7.8G 1.4G 6.1G 9.1M 347M 6.2G Swap: 2.0G 0B 2.0G root at nb:/usr/src# df -h Filesystem Size Used Avail Use% Mounted on udev 3.9G 0 3.9G 0% /dev tmpfs 798M 3.7M 795M 1% /run /dev/sda2 195G 7.5G 178G 5% / tmpfs 3.9G 0 3.9G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup /dev/sda1 922M 109M 750M 13% /boot tmpfs 1.0G 84K 1.0G 1% /var/spool/MailScanner/incoming tmpfs 798M 0 798M 0% /run/user/0 (I?ve also tried without the tmpfs for incoming, no difference as far as I can remember) I would like to request some assistance or guidance on how to start looking for the root cause please. Kind Regards, Ferry van Aesch. PS I?ve been using older versions of MailScanner for as long as I can remember on a different VPS, without ever giving me any issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Tue Jun 16 17:40:09 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Tue, 16 Jun 2020 13:40:09 -0400 Subject: HTML disarming died, status = 13 In-Reply-To: <20200616172420.B333F121968@ms1.mailscanner.info> References: <20200616172420.B333F121968@ms1.mailscanner.info> Message-ID: <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> This message is by design, as long as you are not caught in a loop and it is not happening with every message.? There's something in the HTML that killed the child spawned to perform the disarming.? Depending on the scenario, a sample of the email (sanitized) might be helpful to isolate what is going on here and improve the HTML Disarming code. Shawn On 6/16/20 6:39 AM, Ferry van Aesch via MailScanner wrote: > > Hi, > > I?m being bitten by the below, and after trawling through the mailing > list the consensus seems to be that this is a permissions issue, but > there?s not really a clear root cause or fix. I don?t have apparmor or > SELinux running, and I?m pretty sure all permissions are healthy. > Furthermore, when I take the quarantined message, and send it again > through the system (from a remote machine through SMTP, just to be > sure it follows the same path), the message goes through just fine, > which I find somewhat baffling. > > Jun 16 11:09:12 nb postfix/smtpd[29310]: disconnect from > mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1 rcpt=1 > data=1 quit=1 commands=7 > > Jun 16 11:09:13 nb MailScanner[10436]: New Batch: Scanning 1 messages, > 26430 bytes > > Jun 16 11:09:13 nb MailScanner[10436]: Virus and Content Scanning: > Starting > > Jun 16 11:09:13 nb MailScanner[10436]: Expired 1 records from the > SpamAssassin cache > > Jun 16 11:09:19 nb MailScanner[10436]: *HTML disarming died, status = 13* > > Jun 16 11:09:19 nb MailScanner[10436]: Content Checks: Detected and > have disarmed web bug, denialofservice tags in HTML message in > 1C8987C093A.AEDFB from > bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92 at mail.wish.com > > Jun 16 11:09:19 nb MailScanner[10436]: Quarantined message > 1C8987C093A.AEDFB as it caused MailScanner to crash several times > > Jun 16 11:09:19 nb MailScanner[10436]: Saved entire message to > /var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB > > I?m running a fairly standard setup, with just clamav and > spamassassin, latest version from MailScanner-5.3.3-1.noarch.deb, on a > relatively fresh Ubuntu 18.04LTS VPS. > > This comes back clean as well: > > root at nb:/usr/src# MailScanner --lint > > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > > Reading configuration file /etc/MailScanner/conf.d/README > > Read 1500 hostnames from the phishing whitelist > > Read 7181 hostnames from the phishing blacklists > > Config: calling custom init function MailWatchLogging > > Started SQL Logging child > > Checking version numbers... > > Version number in MailScanner.conf (5.3.3) is correct. > > Your envelope_sender_header in spamassassin.conf is correct. > > MailScanner setting GID to? (1000) > > MailScanner setting UID to? (108) > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Auto: Found virus scanners: clamd > > Connected to Processing Attempts Database > > Created Processing Attempts Database successfully > > There are 0 messages in the Processing Attempts Database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: clamd > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > Clamd::INFECTED:: Win.Test.EICAR_HDB-1 :: ./1/eicar.com > > Virus Scanning: Clamd found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > =========================================================================== > > Virus Scanner test reports: > > Clamd said "eicar.com was infected: Win.Test.EICAR_HDB-1" > > If any of your virus scanners (clamd) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Config: calling custom end function MailWatchLogging > > It?s a very quiet server hosting a couple of private domains > (throughput is just over 100 emails/day), and the VPS has 4 cores and > 8GB available to it (guaranteed no memory issues here), and ample SSD > space: > > total??????? used??????? free????? shared? buff/cache available > > Mem: 7.8G??????? 1.4G??????? 6.1G??????? 9.1M??????? 347M 6.2G > > Swap: ????????2.0G????????? 0B??????? 2.0G > > root at nb:/usr/src# df -h > > Filesystem Size? Used Avail Use% Mounted on > > udev 3.9G???? 0? 3.9G?? 0% /dev > > tmpfs 798M? 3.7M? 795M?? 1% /run > > /dev/sda2 195G? 7.5G? 178G?? 5% / > > tmpfs 3.9G ????0? 3.9G?? 0% /dev/shm > > tmpfs 5.0M???? 0? 5.0M?? 0% /run/lock > > tmpfs 3.9G???? 0? 3.9G?? 0% /sys/fs/cgroup > > /dev/sda1 922M? 109M? 750M? 13% /boot > > tmpfs 1.0G?? 84K? 1.0G?? 1% /var/spool/MailScanner/incoming > > tmpfs 798M???? 0? 798M?? 0% /run/user/0 > > (I?ve also tried without the tmpfs for incoming, no difference as far > as I can remember) > > I would like to request some assistance or guidance on how to start > looking for the root cause please. > > Kind Regards, > > Ferry van Aesch. > > PS I?ve been using older versions of MailScanner for as long as I can > remember on a different VPS, without ever giving me any issues. > > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ferry at vanaesch.com Tue Jun 16 18:24:03 2020 From: ferry at vanaesch.com (Ferry van Aesch) Date: Tue, 16 Jun 2020 18:24:03 +0000 Subject: HTML disarming died, status = 13 In-Reply-To: <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> References: <20200616172420.B333F121968@ms1.mailscanner.info> <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> Message-ID: Hi Shawn, Thanks for getting back to me so quickly. Please see the sanitised email attached. (I assume attaching works with the mailing list?) It?s not happening with every message indeed; but it?s a reasonable amount of the emails it processes. I just ran the original message (cat message|sendmail -t) and it was delivered without a problem. Thanks! Ferry From: MailScanner on behalf of Shawn Iverson via MailScanner Reply to: MailScanner Discussion Date: Tuesday 16 June 2020 at 18:39 To: "mailscanner at lists.mailscanner.info" Cc: Shawn Iverson Subject: Re: HTML disarming died, status = 13 This message is by design, as long as you are not caught in a loop and it is not happening with every message. There's something in the HTML that killed the child spawned to perform the disarming. Depending on the scenario, a sample of the email (sanitized) might be helpful to isolate what is going on here and improve the HTML Disarming code. Shawn -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: message.sanitised Type: application/octet-stream Size: 93094 bytes Desc: message.sanitised URL: From datasoftindia at gmail.com Mon Jun 29 07:22:42 2020 From: datasoftindia at gmail.com (Datasoft-India) Date: Mon, 29 Jun 2020 12:52:42 +0530 Subject: External Mail Warning Message-ID: Hi All, I have configured External Mail Warning in external.message.rules and put all my domains as From: xxxxxxxx.com no and FromOrTo: default yes initially did not work so followed https://github.com/MailScanner/v5/issues/413 finally I copied MessageBatch.pm and Message.pm from the latest git and used it and it started working. However I am facing a peculiar problem. MailScanner does not insert warning for html mails from gmail.com or some mails from random sender domains. It sometimes inserts warning for mails sent out from my own domain to outsiders though my domain is listed as "From: xxxxxxxx.com no." In short it works randomly. Does it require space or tabs or am I missing something. Whatever be the case im very surprised html mails from gmail.com or gsuite originated domains are never tagged. My system details below. [root at mx1 rules]# MailScanner -v Running on Linux xxxxx.com 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux This is CentOS Linux release 7.8.2003 (Core) This is Perl version 5.016003 (5.16.3) This is MailScanner version 5.2.1 can someone throw light on this peculiar behaviour. -- Thanks & Regards DP From ferry at vanaesch.com Mon Jun 29 07:47:49 2020 From: ferry at vanaesch.com (Ferry van Aesch) Date: Mon, 29 Jun 2020 07:47:49 +0000 Subject: HTML disarming died, status = 13 In-Reply-To: <37BF945E-CAC7-4FAC-9756-E78B11004F7C@vanaesch.com> References: <20200616172420.B333F121968@ms1.mailscanner.info> <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> <37BF945E-CAC7-4FAC-9756-E78B11004F7C@vanaesch.com> Message-ID: I?m still trying to get my head around this. These failures genuinely seem to be random. Amazon notifications for instance, very standard layout, most come in perfectly fine and recently one of them failed. I run it through the queue again and it passes without failure. I?m a bit lost tbh. From: Ferry van Aesch Date: Tuesday 16 June 2020 at 19:24 To: MailScanner Discussion Subject: Re: HTML disarming died, status = 13 Hi Shawn, Thanks for getting back to me so quickly. Please see the sanitised email attached. (I assume attaching works with the mailing list?) It?s not happening with every message indeed; but it?s a reasonable amount of the emails it processes. I just ran the original message (cat message|sendmail -t) and it was delivered without a problem. Thanks! Ferry From: MailScanner on behalf of Shawn Iverson via MailScanner Reply to: MailScanner Discussion Date: Tuesday 16 June 2020 at 18:39 To: "mailscanner at lists.mailscanner.info" Cc: Shawn Iverson Subject: Re: HTML disarming died, status = 13 This message is by design, as long as you are not caught in a loop and it is not happening with every message. There's something in the HTML that killed the child spawned to perform the disarming. Depending on the scenario, a sample of the email (sanitized) might be helpful to isolate what is going on here and improve the HTML Disarming code. Shawn -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Mon Jun 29 12:43:06 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 29 Jun 2020 08:43:06 -0400 Subject: HTML disarming died, status = 13 In-Reply-To: <20200629074935.279BE121953@ms1.mailscanner.info> References: <20200616172420.B333F121968@ms1.mailscanner.info> <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> <37BF945E-CAC7-4FAC-9756-E78B11004F7C@vanaesch.com> <20200629074935.279BE121953@ms1.mailscanner.info> Message-ID: <3fe1521a-619c-3666-5bde-2eedf786d3d0@summitgrid.com> Ferry, I am having trouble reproducing the issue on my end. I am still looking into this. This is looking more like a failure to spawn the child process and pipe the results back to the parent process. Error 13 on a pipe is "Permission Denied." This can be caused for a variety of reasons. Filesystem permissions, mandatory access control issues (i.e. SELinux or Apparmor), and kernel level issues such as hitting an upper limit that is set too low or a kernel bug. What do you currently have for this setting in MailScanner? "Ignore Denial Of Service" On 6/29/20 3:47 AM, Ferry van Aesch via MailScanner wrote: > > I?m still trying to get my head around this. These failures genuinely > seem to be random. Amazon notifications for instance, very standard > layout, most come in perfectly fine and recently one of them failed. I > run it through the queue again and it passes without failure. I?m a > bit lost tbh. > > *From: *Ferry van Aesch > *Date: *Tuesday 16 June 2020 at 19:24 > *To: *MailScanner Discussion > *Subject: *Re: HTML disarming died, status = 13 > > Hi Shawn, > > Thanks for getting back to me so quickly. Please see the sanitised > email attached. (I assume attaching works with the mailing list?) > > It?s not happening with every message indeed; but it?s a reasonable > amount of the emails it processes. I just ran the original message > (cat message|sendmail -t) and it was delivered without a problem. > > Thanks! > > Ferry > > *From: *MailScanner > on > behalf of Shawn Iverson via MailScanner > > *Reply to: *MailScanner Discussion > *Date: *Tuesday 16 June 2020 at 18:39 > *To: *"mailscanner at lists.mailscanner.info" > > *Cc: *Shawn Iverson > *Subject: *Re: HTML disarming died, status = 13 > > This message is by design, as long as you are not caught in a loop and > it is not happening with every message.? There's something in the HTML > that killed the child spawned to perform the disarming.? Depending on > the scenario, a sample of the email (sanitized) might be helpful to > isolate what is going on here and improve the HTML Disarming code. > > Shawn > > > -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shawniverson at summitgrid.com Mon Jun 29 12:47:19 2020 From: shawniverson at summitgrid.com (Shawn Iverson) Date: Mon, 29 Jun 2020 08:47:19 -0400 Subject: External Mail Warning In-Reply-To: References: Message-ID: <1a798fec-1f81-4278-4c87-0894d5633502@summitgrid.com> Tab delimited. On 6/29/20 3:22 AM, Datasoft-India wrote: > Hi All, > > I have configured External Mail Warning in external.message.rules and > put all my domains as > From: xxxxxxxx.com no > and > FromOrTo: default yes > initially did not work so followed https://github.com/MailScanner/v5/issues/413 > finally I copied MessageBatch.pm and Message.pm from the latest git > and used it and it started working. > > However I am facing a peculiar problem. > MailScanner does not insert warning for html mails from gmail.com or > some mails from random sender domains. It sometimes inserts warning > for mails sent out from my own domain to outsiders though my domain is > listed as "From: xxxxxxxx.com no." > In short it works randomly. > Does it require space or tabs or am I missing something. Whatever be > the case im very surprised html mails from gmail.com or gsuite > originated domains are never tagged. > > My system details below. > > [root at mx1 rules]# MailScanner -v > Running on > Linux xxxxx.com 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 > UTC 2019 x86_64 x86_64 x86_64 GNU/Linux > This is CentOS Linux release 7.8.2003 (Core) > This is Perl version 5.016003 (5.16.3) > This is MailScanner version 5.2.1 > > can someone throw light on this peculiar behaviour. -- Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ferry at vanaesch.com Mon Jun 29 13:17:32 2020 From: ferry at vanaesch.com (Ferry van Aesch) Date: Mon, 29 Jun 2020 13:17:32 +0000 Subject: HTML disarming died, status = 13 In-Reply-To: <3fe1521a-619c-3666-5bde-2eedf786d3d0@summitgrid.com> References: <20200616172420.B333F121968@ms1.mailscanner.info> <233543dc-5dcb-dd69-7d09-d83cb97b9e2c@summitgrid.com> <37BF945E-CAC7-4FAC-9756-E78B11004F7C@vanaesch.com> <20200629074935.279BE121953@ms1.mailscanner.info> <3fe1521a-619c-3666-5bde-2eedf786d3d0@summitgrid.com> Message-ID: Hi Shawn, Ignore Denial Of Service = no I don?t have SELinux or Apparmor installed, I believe (believe!) I have all permissions set correctly, and most emails come in just fine, with or without HTML in them. Now, the kernel level issue is what I might have to look into. It?s a very low usage VPS though, it?s pretty much idling over 99% of the time. I don?t see anything in dmesg indicating limits. I?ll do a bit of digging in that area. Thanks! Ferry From: MailScanner on behalf of Shawn Iverson via MailScanner Reply to: MailScanner Discussion Date: Monday 29 June 2020 at 13:42 To: "mailscanner at lists.mailscanner.info" Cc: Shawn Iverson Subject: Re: HTML disarming died, status = 13 Ferry, I am having trouble reproducing the issue on my end. I am still looking into this. This is looking more like a failure to spawn the child process and pipe the results back to the parent process. Error 13 on a pipe is "Permission Denied." This can be caused for a variety of reasons. Filesystem permissions, mandatory access control issues (i.e. SELinux or Apparmor), and kernel level issues such as hitting an upper limit that is set too low or a kernel bug. What do you currently have for this setting in MailScanner? "Ignore Denial Of Service" On 6/29/20 3:47 AM, Ferry van Aesch via MailScanner wrote: I?m still trying to get my head around this. These failures genuinely seem to be random. Amazon notifications for instance, very standard layout, most come in perfectly fine and recently one of them failed. I run it through the queue again and it passes without failure. I?m a bit lost tbh. From: Ferry van Aesch Date: Tuesday 16 June 2020 at 19:24 To: MailScanner Discussion Subject: Re: HTML disarming died, status = 13 Hi Shawn, Thanks for getting back to me so quickly. Please see the sanitised email attached. (I assume attaching works with the mailing list?) It?s not happening with every message indeed; but it?s a reasonable amount of the emails it processes. I just ran the original message (cat message|sendmail -t) and it was delivered without a problem. Thanks! Ferry From: MailScanner on behalf of Shawn Iverson via MailScanner Reply to: MailScanner Discussion Date: Tuesday 16 June 2020 at 18:39 To: MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be MailScanner has detected a possible fraud attempt from "lists.mailscanner.info" claiming to be "mailscanner at lists.mailscanner.info" Cc: Shawn Iverson Subject: Re: HTML disarming died, status = 13 This message is by design, as long as you are not caught in a loop and it is not happening with every message. There's something in the HTML that killed the child spawned to perform the disarming. Depending on the scenario, a sample of the email (sanitized) might be helpful to isolate what is going on here and improve the HTML Disarming code. Shawn -- [Image removed by sender.] Shawn Iverson shawniverson at summitgrid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: