<div dir="ltr">I had a similar issue on a server build on CentOS 6 and the latest MailScanner. Never have found specific messages that cause the problem, but typically 5-6 times a week, I'd get an alert from our Nagios installation stating that there were zombie processes on the filtering server. I'd go look and see MailScanner processing, crashing and looping on messages - after 6 loops through, putting in the quarantine tagged as DoS message.<div>
<br></div><div>So, I tried disabling the Processing Attempts Database by setting:</div><div><br></div><div><div>Maximum Processing Attempts = 0</div></div><div><br></div><div>in MailScanner.conf. I no longer am seeing *any* problem - the crashes have stopped, the looping has stopped (as expected with disabling), no messages marked as DoS sources and none quarantined as a result. All appears to be fine.</div>
<div><br></div><div>So, it kind of looks like something with the Processing Attempts Database code - although I do use that on a number of other CentOS 4 and CentOS 5 servers without issue.</div><div><br></div><div><br></div>
<div>Chris</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Mar 22, 2014 at 11:52 AM, Mark Sapiro <span dir="ltr"><<a href="mailto:mark@msapiro.net" target="_blank">mark@msapiro.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 03/22/2014 10:12 AM, <a href="mailto:simon@kmun.gov.kw">simon@kmun.gov.kw</a> wrote:<br>
><br>
> after more investigation i realized the following..<br>
><br>
> many of the users have subscribed to google groups ..<br>
> now when a email is received from a user who belongs to the same group as<br>
> our users belong maybe about 15 to 20 messages are marked clean ..<br>
> subsequent messages are being marked with RED and the details page shows<br>
> denial of service attack.<br>
> Also the System becomes very slow as MailScanner consumes the entire CPU<br>
> and also the outgoin email takes long time to reach the recipent.<br>
><br>
> it remains in the incomming queue for a long time.. maybe 10 to 15 min at<br>
> times<br>
<br>
<br>
</div>I'm not sure what the underlying issue is in this case, but looking at<br>
the code I think that the DOS attack is raised when one of your virus<br>
scanners times out on a message. You might try looking at logs to see if<br>
you can determine why this happens.<br>
<br>
As a workaround, you could establish a "Virus Scanning" ruleset to skip<br>
virus scanning for these messages. See<br>
<<a href="http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning" target="_blank">http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning</a>>.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Mark Sapiro <<a href="mailto:mark@msapiro.net">mark@msapiro.net</a>> The highway is for gamblers,<br>
San Francisco Bay Area, California better use your sense - B. Dylan<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
<br>
Support MailScanner development - buy the book off the website!<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Chris Stone<br>AxisInternet, Inc.<br><a href="http://www.axint.net">www.axint.net</a><br>
</div>