HTML disarming died, status = 13

Ferry van Aesch ferry at vanaesch.com
Tue Jun 16 10:39:04 UTC 2020 

Hi,

I’m being bitten by the below, and after trawling through the mailing list the consensus seems to be that this is a permissions issue, but there’s not really a clear root cause or fix. I don’t have apparmor or SELinux running, and I’m pretty sure all permissions are healthy. Furthermore, when I take the quarantined message, and send it again through the system (from a remote machine through SMTP, just to be sure it follows the same path), the message goes through just fine, which I find somewhat baffling.

Jun 16 11:09:12 nb postfix/smtpd[29310]: disconnect from mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 16 11:09:13 nb MailScanner[10436]: New Batch: Scanning 1 messages, 26430 bytes
Jun 16 11:09:13 nb MailScanner[10436]: Virus and Content Scanning: Starting
Jun 16 11:09:13 nb MailScanner[10436]: Expired 1 records from the SpamAssassin cache
Jun 16 11:09:19 nb MailScanner[10436]: HTML disarming died, status = 13
Jun 16 11:09:19 nb MailScanner[10436]: Content Checks: Detected and have disarmed web bug, denialofservice tags in HTML message in 1C8987C093A.AEDFB from bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92 at mail.wish.com
Jun 16 11:09:19 nb MailScanner[10436]: Quarantined message 1C8987C093A.AEDFB as it caused MailScanner to crash several times
Jun 16 11:09:19 nb MailScanner[10436]: Saved entire message to /var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB

I’m running a fairly standard setup, with just clamav and spamassassin, latest version from MailScanner-5.3.3-1.noarch.deb, on a relatively fresh Ubuntu 18.04LTS VPS.

This comes back clean as well:
root at nb:/usr/src# MailScanner --lint
Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1500 hostnames from the phishing whitelist
Read 7181 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
Started SQL Logging child

Checking version numbers...
Version number in MailScanner.conf (5.3.3) is correct.

Your envelope_sender_header in spamassassin.conf is correct.
MailScanner setting GID to  (1000)
MailScanner setting UID to  (108)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Auto: Found virus scanners: clamd
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = auto"
Found these virus scanners installed: clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Win.Test.EICAR_HDB-1 :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Win.Test.EICAR_HDB-1"

If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging

It’s a very quiet server hosting a couple of private domains (throughput is just over 100 emails/day), and the VPS has 4 cores and 8GB available to it (guaranteed no memory issues here), and ample SSD space:
              total        used        free      shared  buff/cache   available
Mem:           7.8G        1.4G        6.1G        9.1M        347M        6.2G
Swap:          2.0G          0B        2.0G

root at nb:/usr/src# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            3.9G     0  3.9G   0% /dev
tmpfs           798M  3.7M  795M   1% /run
/dev/sda2       195G  7.5G  178G   5% /
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/sda1       922M  109M  750M  13% /boot
tmpfs           1.0G   84K  1.0G   1% /var/spool/MailScanner/incoming
tmpfs           798M     0  798M   0% /run/user/0

(I’ve also tried without the tmpfs for incoming, no difference as far as I can remember)

I would like to request some assistance or guidance on how to start looking for the root cause please.

Kind Regards,
Ferry van Aesch.

PS I’ve been using older versions of MailScanner for as long as I can remember on a different VPS, without ever giving me any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20200616/398364ed/attachment.html>

More information about the MailScanner mailing list