<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Well in my case the server has an extremely light load, a handful of domains with 5 users total. Fairly high proportion of spam in some cases but still pretty puny. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Server is a low powered 32gb ram, 8x atom core home server, with mailscanner running under a VM and given 3 cores and 8gb ram and I’ve certainly never noticed it stressed but it was a new build with mailscanner 4.85.2 installed. It replaced an old dual core p4 running an ancient install of mailscanner with the same domain setup fine.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I’m not sure if one commonality across all of us having the issue is running mailscanner under a VM?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> MailScanner [mailto:mailscanner-bounces+andy=z00b.com@lists.mailscanner.info] <b>On Behalf Of </b>Shawn Iverson<br><b>Sent:</b> 13 May 2016 18:27<br><b>To:</b> MailScanner Discussion <mailscanner@lists.mailscanner.info><br><b>Subject:</b> Re: Denial Of Service Attack Messages<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I have been watching this DoS stuff now for a while.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am wondering if this issue is triggered during high load (similar to an actual DoS)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Would it be possible to set up a MailScanner test environment and do a load bearing test against mailscanner? Perhaps just an MTA with a script to send massive amounts of mail to a mailscanner instance?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I want to get to the bottom of this.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, May 13, 2016 at 4:22 AM, Michael Böttger <<a href="mailto:michael.boettger@crossip.net" target="_blank">michael.boettger@crossip.net</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>we are currently running MailScanner in combination with the following setup:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>MailWatch Version:1.2.0 - RC1 DEV<br>MailScanner Version:4.85.2<br>ClamAV Version:0.99.1 <br>SpamAssassin Version:3.4.0 <br>PHP Version:5.4.16<br>MySQL Version:10.0.25-MariaDB-wsrep (3 node cluster)<o:p></o:p></span></p></div><div><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'>CentOS Linux release 7.2.1511 (Core) <o:p></o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'>6 Core Intel(R) Xeon(R) CPU X5650 @ 2.67GHz<o:p></o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'>virtualiced in a Virtuozzo 6.0 CloudServer environment<o:p></o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'><o:p> </o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'>processing about 20-24000 mails per day and we do get about 30-50 "Denial of Service attack" mails, which are not moved to the quarantine location as advertised in the „disarmed“ mail.<o:p></o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'><o:p> </o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'><span style='color:black'>After reading trough the Maillinglist we have set -> Maximum Processing Attempts = 0<o:p></o:p></span></p><p style='margin:0cm;margin-bottom:.0001pt'>Which also doesnt’help, and have disabled -> Dangerous Content Scanning = no<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>We could anly see such messages with the following log entries:<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 02:30:02 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in D1A4AA0DBC.A33FC from <a href="mailto:some_address@returns.groups.yahoo.com" target="_blank">some_address@returns.groups.yahoo.com</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 02:30:23 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 11057A0844.AB59A from <a href="mailto:some_address@coldiretti.it" target="_blank">some_address@coldiretti.it</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 02:33:04 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 3E0E2A08D7.AAAA3 from <a href="mailto:some_address@googlegroups.com" target="_blank">some_address@googlegroups.com</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 02:42:27 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in CEF30A08AC.AE861 from <a href="mailto:some_address@csak1utazas.hu" target="_blank">some_address@csak1utazas.hu</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 02:53:05 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 0A11DA0844.ABECC from <a href="mailto:some_address@coldiretti.it" target="_blank">some_address@coldiretti.it</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:16:25 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 10455A0844.AF1FC from <a href="mailto:some_address@paypal.at" target="_blank">some_address@paypal.at</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:23:18 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in CC42FA0844.A3738 from <a href="mailto:some_address@billa.at" target="_blank">some_address@billa.at</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:34:55 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 6306AA08AC.A8311 from <a href="mailto:some_address@coldiretti.it" target="_blank">some_address@coldiretti.it</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:37:06 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in BF3ECA08AC.A7E73 from <a href="mailto:some_address@amazonses.com" target="_blank">some_address@amazonses.com</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:35 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in EAE58A0DBC.A86E2 from <a href="mailto:some_address@vetmeduni.ac.at" target="_blank">some_address@vetmeduni.ac.at</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:57:43 mx01 MailScanner[25323]: <span style='color:#C33720'>Content Checks</span>: Detected and have disarmed KILLED tags in HTML message in 0B375A08AC.AAEB0 from <a href="mailto:some_address@xing.com" target="_blank">some_address@xing.com</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>Here are the whole log entris for a particular mail:<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:23 mx01 postfix/smtpd[29099]: <span style='color:#C33720'>EAE58A0DBC</span>: client=<a href="http://mail.meduniwien.ac.at" target="_blank">mail.meduniwien.ac.at</a>[149.148.224.72]<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:23 mx01 postfix/cleanup[29649]: <span style='color:#C33720'>EAE58A0DBC</span>: hold: header Received: from <a href="http://mailfp2.srv.meduniwien.ac.at" target="_blank">mailfp2.srv.meduniwien.ac.at</a> (<a href="http://mail.meduniwien.ac.at" target="_blank">mail.meduniwien.ac.at</a> [149.148.224.72])??by <a href="http://mx01.mail.netstorage.at" target="_blank">mx01.mail.netstorage.at</a> (Postfix) with ESMTPS id <span style='color:#C33720'>EAE58A0DBC</span>??for <<a href="mailto:some_address@jensen-jarolim.at" target="_blank">some_address@jensen-jarolim.at</a>>; Fri, 13 May 2016 03 from <a href="http://mail.meduniwien.ac.at" target="_blank">mail.meduniwien.ac.at</a>[149.148.224.72]; from=<<a href="mailto:some_address@vetmeduni.ac.at" target="_blank">some_address@vetmeduni.ac.at</a>> to=<<a href="mailto:some_address@jensen-jarolim.at" target="_blank">some_address@jensen-jarolim.at</a>> proto=ESMTP helo=<<a href="http://mailfp2.srv.meduniwien.ac.at" target="_blank">mailfp2.srv.meduniwien.ac.at</a>><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:23 mx01 postfix/cleanup[29649]: <span style='color:#C33720'>EAE58A0DBC</span>: message-id=<<a href="mailto:8b7eb9021b7f725b13b26feb1fd22385@mlgns.com" target="_blank">8b7eb9021b7f725b13b26feb1fd22385@mlgns.com</a>><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:23 mx01 postfix/cleanup[29649]: <span style='color:#C33720'>EAE58A0DBC</span>: resent-message-id=<<a href="mailto:20160513014548.2CFA8EE2DE@mail.vu-wien.ac.at" target="_blank">20160513014548.2CFA8EE2DE@mail.vu-wien.ac.at</a>><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:35 mx01 MailScanner[25323]: Content Checks: Detected and have disarmed KILLED tags in HTML message in <span style='color:#C33720'>EAE58A0DBC</span>.A86E2 from <a href="mailto:some_address@vetmeduni.ac.at" target="_blank">some_address@vetmeduni.ac.at</a><o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:35 mx01 MailScanner[25323]: Requeue: <span style='color:#C33720'>EAE58A0DBC</span>.A86E2 to D0A8EA15C3<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:35 mx01 postfix/qmgr[27970]: <span style='color:#C33720'>D0A8EA15C3</span>: from=<<a href="mailto:some_address@vetmeduni.ac.at" target="_blank">some_address@vetmeduni.ac.at</a>>, size=25282, nrcpt=1 (queue active)<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:36 mx01 postfix/smtp[29822]: <span style='color:#C33720'>D0A8EA15C3</span>: to=<<a href="mailto:some_address@jensen-jarolim.at" target="_blank">some_address@jensen-jarolim.at</a>>, relay=<a href="http://mailfilter01.crossip.net" target="_blank">mailfilter01.crossip.net</a>[89.207.144.61]:25, delay=12, delays=11/0.01/0.54/0.23, dsn=2.0.0, status=sent (250 Ok: queued as 3578F5C00D2)<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>May 13 03:46:36 mx01 postfix/qmgr[27970]: <span style='color:#C33720'>D0A8EA15C3</span>: removed<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>We have also done the test for missing Perl extensions, and all are present.<o:p></o:p></p><p style='margin:0cm;margin-bottom:.0001pt'><o:p> </o:p></p><p style='margin:0cm;margin-bottom:.0001pt'>We could catch some of these emails and will directly forward them to <span style='background:white'>Jerry Benton</span><o:p></o:p></p></div><div><div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal><span style='color:black'>Mit freundlichen Grüßen,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>With best regards,<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=DE style='color:black'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=DE style='color:black'>Michael Böttger</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></p></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br>--<br>MailScanner mailing list<br><a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br><a href="http://lists.mailscanner.info/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/listinfo/mailscanner</a><br><br><o:p></o:p></p></blockquote></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><div><div><div><div><p class=MsoNormal>Shawn Iverson<o:p></o:p></p><div><p class=MsoNormal>Director of Technology<o:p></o:p></p></div><div><p class=MsoNormal>Rush County Schools<o:p></o:p></p></div><div><p class=MsoNormal>765-932-3901 x271<o:p></o:p></p></div><div><p class=MsoNormal><a href="mailto:iversons@rushville.k12.in.us" target="_blank">iversons@rushville.k12.in.us</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><img border=0 width=96 height=39 id="_x0000_i1025" src="https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_UFV2VFdmNG1SaVE&revid=0Bw5iD0ToYvs_U3VaVlpuTFBtak9QZXVRL3FmRUd2d0laTkZRPQ"><o:p></o:p></p></div></div></div></div></div></div></div></div></div></body></html>