Detected and have disarmed denialofservice tags in HTML message

Bugs in eFa 4
Post Reply
uzisuicida
Posts: 5
Joined: 24 Jan 2019 06:24

Detected and have disarmed denialofservice tags in HTML message

Post by uzisuicida » 20 Sep 2021 17:52

Hello, I have a problem for a few weeks now, MailScanner produces an error with the following message:

Sep 20 11:05:09 ........... MailScanner[8070]: HTML Img tag found in message 4HCqC61ccpz7kC8 from ..... Sep 20 11:05:11 .... MailScanner[8070]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HCqC61ccpz7kC8 from .........

I still can't understand why, nor can I give a solution.

toth.szabolcs
Posts: 1
Joined: 21 Sep 2021 11:39

Re: Detected and have disarmed denialofservice tags in HTML message

Post by toth.szabolcs » 21 Sep 2021 11:51

Hello!

We have also so many similar problems, our users are angry, because we can't find the solution.

Sep 21 12:24:49 sf MailScanner[71686]: <A> tag found in message 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Quarantined message 4HDHbx5SZbzC8D7 as it caused MailScanner to crash several times

Importent emails are go to quarantine, later the users sent again and the same emails are delivered.

Can someone help us?
Best Regards, Szabolcs!

mfull
Posts: 1
Joined: 23 Sep 2021 12:08

Re: Detected and have disarmed denialofservice tags in HTML message

Post by mfull » 23 Sep 2021 12:13

Hello,

I have same or similar problem here, we are running eFa4.0.4-18.eFa.el7, and some of our mails with HTML signatures goes to quarantine. We also noticed that this event triggers Mailwatch service to hang, while no new mails are updated in GUI. After 3 or so hours or so, service recover itself.

Full error log:

Code: Select all

Sep 23 11:48:53 mx MailScanner[68287]: New Batch: Scanning 1 messages, 7840 bytes
Sep 23 11:48:53 mx MailScanner[68287]: Virus and Content Scanning: Starting
Sep 23 11:48:53 mx MailScanner[68287]: <A> tag found in message 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:53 mx MailScanner[68287]: Spam Checks: Starting
Sep 23 11:48:54 mx MailScanner[68287]: HTML disarming died, status = 13
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:54 mx MailScanner[68287]: Quarantined message 4HFVjb4vpSz5462m as it caused MailScanner to crash several times
Sep 23 11:48:54 mx MailScanner[68287]: Saved entire message to /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m
Sep 23 11:48:54 mx MailScanner[68287]: Deleted 1 messages from processing-database
Our current solution is to monitor and release quarantined mails is from console (since we don’t see them in Mailwatch GUI) :

Code: Select all

cat /var/log/maillog | grep "disarmed denialofservice tags"
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from ….
And then to release them manuallly :

Code: Select all

/usr/sbin/sendmail.postfix -t  < /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m/message
After that we recover Mailwatch :
Stopping MailScanner service:

Code: Select all

systemctl stop mailscanner
Manually killing hanged Mailscanner process which prevent Mailwatch SQL to start

Code: Select all

kill -9 proccess_pid
And then restarting Mailscanner service again, after that we have only healty processes

Code: Select all

91080 ?        S      0:00 MailWatch SQL
 91082 ?        Ss     0:00 MailScanner: starting children
 91083 ?        S      0:01  \_ MailScanner: waiting for messages
 91239 ?        S      0:01  \_ MailScanner: waiting for messages
 91250 ?        S      0:01  \_ MailScanner: starting children

Hope that this helps, and that fix for this will be provided soon

machabot
Posts: 3
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot » 12 Oct 2021 19:36

Same here, I had to reboot the server to solve the issue after restarting mailscanner failed. any hint on this issue ?

User avatar
shawniverson
Posts: 3452
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson » 13 Oct 2021 22:46

Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?

User avatar
shawniverson
Posts: 3452
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson » 14 Oct 2021 16:23

Someone willing to test this PR?

https://github.com/MailScanner/v5/pull/557

Post Reply