HTML disarming died, status = 13

Shawn Iverson shawniverson at summitgrid.com
Tue Jun 16 17:40:09 UTC 2020 

This message is by design, as long as you are not caught in a loop and 
it is not happening with every message.  There's something in the HTML 
that killed the child spawned to perform the disarming.  Depending on 
the scenario, a sample of the email (sanitized) might be helpful to 
isolate what is going on here and improve the HTML Disarming code.

Shawn

On 6/16/20 6:39 AM, Ferry van Aesch via MailScanner wrote:
>
> Hi,
>
> I’m being bitten by the below, and after trawling through the mailing 
> list the consensus seems to be that this is a permissions issue, but 
> there’s not really a clear root cause or fix. I don’t have apparmor or 
> SELinux running, and I’m pretty sure all permissions are healthy. 
> Furthermore, when I take the quarantined message, and send it again 
> through the system (from a remote machine through SMTP, just to be 
> sure it follows the same path), the message goes through just fine, 
> which I find somewhat baffling.
>
> Jun 16 11:09:12 nb postfix/smtpd[29310]: disconnect from 
> mta-2-019.ml.wish.com[144.2.145.19] ehlo=2 starttls=1 mail=1 rcpt=1 
> data=1 quit=1 commands=7
>
> Jun 16 11:09:13 nb MailScanner[10436]: New Batch: Scanning 1 messages, 
> 26430 bytes
>
> Jun 16 11:09:13 nb MailScanner[10436]: Virus and Content Scanning: 
> Starting
>
> Jun 16 11:09:13 nb MailScanner[10436]: Expired 1 records from the 
> SpamAssassin cache
>
> Jun 16 11:09:19 nb MailScanner[10436]: *HTML disarming died, status = 13*
>
> Jun 16 11:09:19 nb MailScanner[10436]: Content Checks: Detected and 
> have disarmed web bug, denialofservice tags in HTML message in 
> 1C8987C093A.AEDFB from 
> bounces+vn1vl9d7nxin2gjpxuh8ibeiyxqfzeq92 at mail.wish.com
>
> Jun 16 11:09:19 nb MailScanner[10436]: Quarantined message 
> 1C8987C093A.AEDFB as it caused MailScanner to crash several times
>
> Jun 16 11:09:19 nb MailScanner[10436]: Saved entire message to 
> /var/spool/MailScanner/quarantine/20200616/1C8987C093A.AEDFB
>
> I’m running a fairly standard setup, with just clamav and 
> spamassassin, latest version from MailScanner-5.3.3-1.noarch.deb, on a 
> relatively fresh Ubuntu 18.04LTS VPS.
>
> This comes back clean as well:
>
> root at nb:/usr/src# MailScanner --lint
>
> Trying to setlogsock(unix)
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
>
> Reading configuration file /etc/MailScanner/conf.d/README
>
> Read 1500 hostnames from the phishing whitelist
>
> Read 7181 hostnames from the phishing blacklists
>
> Config: calling custom init function MailWatchLogging
>
> Started SQL Logging child
>
> Checking version numbers...
>
> Version number in MailScanner.conf (5.3.3) is correct.
>
> Your envelope_sender_header in spamassassin.conf is correct.
>
> MailScanner setting GID to  (1000)
>
> MailScanner setting UID to  (108)
>
> Checking for SpamAssassin errors (if you use it)...
>
> Using SpamAssassin results cache
>
> Connected to SpamAssassin cache database
>
> SpamAssassin reported no errors.
>
> Auto: Found virus scanners: clamd
>
> Connected to Processing Attempts Database
>
> Created Processing Attempts Database successfully
>
> There are 0 messages in the Processing Attempts Database
>
> Using locktype = posix
>
> MailScanner.conf says "Virus Scanners = auto"
>
> Found these virus scanners installed: clamd
>
> ===========================================================================
>
> Filename Checks: Windows/DOS Executable (1 eicar.com)
>
> Other Checks: Found 1 problems
>
> Virus and Content Scanning: Starting
>
> Clamd::INFECTED:: Win.Test.EICAR_HDB-1 :: ./1/eicar.com
>
> Virus Scanning: Clamd found 2 infections
>
> Infected message 1 came from 10.1.1.1
>
> Virus Scanning: Found 2 viruses
>
> ===========================================================================
>
> Virus Scanner test reports:
>
> Clamd said "eicar.com was infected: Win.Test.EICAR_HDB-1"
>
> If any of your virus scanners (clamd)
>
> are not listed there, you should check that they are installed correctly
>
> and that MailScanner is finding them correctly via its 
> virus.scanners.conf.
>
> Config: calling custom end function MailWatchLogging
>
> It’s a very quiet server hosting a couple of private domains 
> (throughput is just over 100 emails/day), and the VPS has 4 cores and 
> 8GB available to it (guaranteed no memory issues here), and ample SSD 
> space:
>
> total        used        free      shared  buff/cache available
>
> Mem: 7.8G        1.4G        6.1G        9.1M        347M 6.2G
>
> Swap:         2.0G          0B        2.0G
>
> root at nb:/usr/src# df -h
>
> Filesystem Size  Used Avail Use% Mounted on
>
> udev 3.9G     0  3.9G   0% /dev
>
> tmpfs 798M  3.7M  795M   1% /run
>
> /dev/sda2 195G  7.5G  178G   5% /
>
> tmpfs 3.9G     0  3.9G   0% /dev/shm
>
> tmpfs 5.0M     0  5.0M   0% /run/lock
>
> tmpfs 3.9G     0  3.9G   0% /sys/fs/cgroup
>
> /dev/sda1 922M  109M  750M  13% /boot
>
> tmpfs 1.0G   84K  1.0G   1% /var/spool/MailScanner/incoming
>
> tmpfs 798M     0  798M   0% /run/user/0
>
> (I’ve also tried without the tmpfs for incoming, no difference as far 
> as I can remember)
>
> I would like to request some assistance or guidance on how to start 
> looking for the root cause please.
>
> Kind Regards,
>
> Ferry van Aesch.
>
> PS I’ve been using older versions of MailScanner for as long as I can 
> remember on a different VPS, without ever giving me any issues.
>
>
>
-- 

Shawn Iverson
shawniverson at summitgrid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20200616/703d2dd3/attachment.html>

More information about the MailScanner mailing list