<div dir="ltr">drwxrwxr-x 6 postfix www-data 4096 Nov 15 13:17 MailScanner<div><br></div><div><div>drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:12 archive</div><div>drwxrwx--- 10 root mtagroup 4096 Dec 8 08:01 incoming</div><div>drwxrwxr-x 32 root www-data 4096 Dec 8 00:02 quarantine</div><div>-rw------- 1 postfix postfix 23 Nov 15 13:14 servers</div><div>drwxrwxr-x 2 postfix www-data 4096 Nov 9 14:23 spamassassin</div><div><br></div><div><br></div><div>some of my settings in MailScanner.conf</div><div><div>Incoming Work Group = mtagroup</div></div><div>Incoming Work Permissions = 0660<br></div><div><div>Quarantine User = root</div><div>Quarantine Group = www-data</div></div><div><br></div><div>Thank you for your help!</div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 8, 2016 at 1:49 AM, Mark Sapiro <span dir="ltr"><<a href="mailto:mark@msapiro.net" target="_blank">mark@msapiro.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 12/07/2016 01:55 PM, Jason Waters wrote:<br>
><br>
> MailScanner was attacked by a Denial Of Service attack, and has<br>
> therefore deleted this part of the message. Please contact your e-mail<br>
> providers for more information if you need it, giving them the whole of<br>
> this report. Attack in:<br>
> /var/spool/MailScanner/<wbr>incoming/6797/25ACEE03FD.<wbr>AE977/nmsg-6797-37.html<br>
<br>
<br>
</span>This file only exists during processing. It's gone by the time you see<br>
this message.<br>
<br>
You may find the message in<br>
/var/spool/MailScanner/<wbr>quarantine/20161207/<wbr>25ACEE03FD.AE977/message, but<br>
probably not. In any case, I think the error is permission related and<br>
doesn't depend on the message content.<br>
<span class=""><br>
<br>
> Here is the log file(cat /var/log/mail.log|grep "25ACEE03FD.AE977" -B5 -A5)<br>
><br>
><br>
><br>
</span>> Dec 7 12:59:47 mailscanner MailScanner[6797]: <A> '<br>
> 25ACEE03FD.AE977 from <a href="mailto:user@remoteemail.com">user@remoteemail.com</a> <mailto:<a href="mailto:user@remoteemail.com">user@remoteemail.com</a>><br>
<span class="">><br>
> Dec 7 12:59:47 mailscanner MailScanner[6797]: HTML Img tag found in<br>
> message 25ACEE03FD.AE977 from <a href="mailto:user@remoteemail.com">user@remoteemail.com</a><br>
</span>> <mailto:<a href="mailto:user@remoteemail.com">user@remoteemail.com</a>><br>
<span class="">><br>
> Dec 7 12:59:47 mailscanner MailScanner[6797]: Whitelist refresh time<br>
> reached<br>
><br>
> Dec 7 12:59:47 mailscanner MailScanner[6797]: Starting up SQL Whitelist<br>
><br>
> Dec 7 12:59:47 mailscanner MailScanner[6797]: Read 66 whitelist entries<br>
><br>
> Dec 7 12:59:56 mailscanner MailScanner[6797]: HTML disarming died,<br>
> status = 13<br>
<br>
<br>
</span>MailScanner forks a child to do the actual HTML parse and disarm. The<br>
child died with error 13 which is a permissions issue. What is<br>
ownership and permissions on /var/spool/MailScanner/ and its various<br>
subdirectories?<br>
<span class=""><br>
<br>
> Dec 7 12:59:56 mailscanner MailScanner[6797]: Content Checks: Detected<br>
> and have disarmed KILLED tags in HTML message in 25ACEE03FD.AE977<br>
</span>> from <a href="mailto:user@remoteemail.com">user@remoteemail.com</a> <mailto:<a href="mailto:user@remoteemail.com">user@remoteemail.com</a>><br>
<br>
<br>
This is a direct result of the above. It just says the disarming died.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Mark Sapiro <<a href="mailto:mark@msapiro.net">mark@msapiro.net</a>> The highway is for gamblers,<br>
San Francisco Bay Area, California better use your sense - B. Dylan<br>
<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.<wbr>info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/<wbr>mailman/listinfo/mailscanner</a><br>
<br>
</font></span></blockquote></div><br></div>