Detected and have disarmed denialofservice tags in HTML message

Bugs in eFa 4
Post Reply
uzisuicida
Posts: 10
Joined: 24 Jan 2019 06:24

Detected and have disarmed denialofservice tags in HTML message

Post by uzisuicida »

Hello, I have a problem for a few weeks now, MailScanner produces an error with the following message:

Sep 20 11:05:09 ........... MailScanner[8070]: HTML Img tag found in message 4HCqC61ccpz7kC8 from ..... Sep 20 11:05:11 .... MailScanner[8070]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HCqC61ccpz7kC8 from .........

I still can't understand why, nor can I give a solution.
toth.szabolcs
Posts: 1
Joined: 21 Sep 2021 11:39

Re: Detected and have disarmed denialofservice tags in HTML message

Post by toth.szabolcs »

Hello!

We have also so many similar problems, our users are angry, because we can't find the solution.

Sep 21 12:24:49 sf MailScanner[71686]: <A> tag found in message 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Quarantined message 4HDHbx5SZbzC8D7 as it caused MailScanner to crash several times

Importent emails are go to quarantine, later the users sent again and the same emails are delivered.

Can someone help us?
Best Regards, Szabolcs!
mfull
Posts: 1
Joined: 23 Sep 2021 12:08

Re: Detected and have disarmed denialofservice tags in HTML message

Post by mfull »

Hello,

I have same or similar problem here, we are running eFa4.0.4-18.eFa.el7, and some of our mails with HTML signatures goes to quarantine. We also noticed that this event triggers Mailwatch service to hang, while no new mails are updated in GUI. After 3 or so hours or so, service recover itself.

Full error log:

Code: Select all

Sep 23 11:48:53 mx MailScanner[68287]: New Batch: Scanning 1 messages, 7840 bytes
Sep 23 11:48:53 mx MailScanner[68287]: Virus and Content Scanning: Starting
Sep 23 11:48:53 mx MailScanner[68287]: <A> tag found in message 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:53 mx MailScanner[68287]: Spam Checks: Starting
Sep 23 11:48:54 mx MailScanner[68287]: HTML disarming died, status = 13
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:54 mx MailScanner[68287]: Quarantined message 4HFVjb4vpSz5462m as it caused MailScanner to crash several times
Sep 23 11:48:54 mx MailScanner[68287]: Saved entire message to /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m
Sep 23 11:48:54 mx MailScanner[68287]: Deleted 1 messages from processing-database
Our current solution is to monitor and release quarantined mails is from console (since we don’t see them in Mailwatch GUI) :

Code: Select all

cat /var/log/maillog | grep "disarmed denialofservice tags"
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from ….
And then to release them manuallly :

Code: Select all

/usr/sbin/sendmail.postfix -t  < /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m/message
After that we recover Mailwatch :
Stopping MailScanner service:

Code: Select all

systemctl stop mailscanner
Manually killing hanged Mailscanner process which prevent Mailwatch SQL to start

Code: Select all

kill -9 proccess_pid
And then restarting Mailscanner service again, after that we have only healty processes

Code: Select all

91080 ?        S      0:00 MailWatch SQL
 91082 ?        Ss     0:00 MailScanner: starting children
 91083 ?        S      0:01  \_ MailScanner: waiting for messages
 91239 ?        S      0:01  \_ MailScanner: waiting for messages
 91250 ?        S      0:01  \_ MailScanner: starting children

Hope that this helps, and that fix for this will be provided soon
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

Same here, I had to reboot the server to solve the issue after restarting mailscanner failed. any hint on this issue ?
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

Someone willing to test this PR?

https://github.com/MailScanner/v5/pull/557
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

I'll give it a try
1an3
Posts: 24
Joined: 07 May 2021 13:05

Re: Detected and have disarmed denialofservice tags in HTML message

Post by 1an3 »

shawniverson wrote: 13 Oct 2021 22:46 Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?
I'm started seeing more of these entries for 'caused mailscanner to crash several times" this week.

/var/log/maillog-20211117.gz:0
/var/log/maillog-20211118.gz:0
/var/log/maillog-20211119.gz:0
/var/log/maillog-20211120:0
/var/log/maillog-20211121:55
/var/log/maillog-20211122:211
/var/log/maillog-20211123:562
/var/log/maillog-20211124:0
/var/log/maillog-20211125:573


This last week we've handled anywhere between 20-31,000 messages on a working day.

Happy to provide log samples, sample message, if it helps.
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

It Did the same thing this afternoon. No more stats in mailwatch, lots of "denialofservice" in maillog for about 1,5 hours for many html emails. I had something similar yesterday without the mailwatch issue. I tried the patch shawniverson posted last month yesterday. Doesnt seems to fix the issue if its the same problem. Restarting Mailscanner is not enough, I had to reboot the server each time. I tried to send two similar emails last month when it firtst occured. First time, it didn't goes through. Second time, it did. It did not the third time. Well, you understand its kind of random, maybe relted to one child process when the others are fine...
I will change this options to see if it resolves the issue : Ignore Denial Of Service = yes

I can send emails and logs if you want.
Last edited by machabot on 25 Nov 2021 20:45, edited 1 time in total.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

Please let me know if you are still seeing this behavior on eFa-4.0.4-25. I stopped closing the pipe in the child to prevent the case of a double close on the pipe (Signal 13 will happen when the pipe no longer exists, which I'm convinced is happening here). If it is still happening, I will need to set the child to to remain and be closed by the parent only.

To check your release level:

Code: Select all

rpm -qa | grep eFa-4.0.4
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

Fine. I will plan an upgrade tonight. We are still using 4.0.4_18
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

There does'nt seems to have any update available ???? Is there a way to install it manually ?

sudo yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 15 kB 00:00
* base: centos.mirror.ca.planethoster.net
* eFa4: dl7.efa-project.org
* epel: mirror.dst.ca
* extras: centos.mirror.ca.planethoster.net
* updates: centos.mirror.ca.planethoster.net
base | 3.6 kB 00:00
eFa4 | 2.9 kB 00:00
extras | 2.9 kB 00:00
ius | 1.3 kB 00:00
updates | 2.9 kB 00:00
No packages marked for update


"rpm -qa | grep eFa-4.0.4" gives "eFa-4.0.4-18.eFa.el7.noarch"

I already comment those lines yesterday in usr/share/MailScanner/perl/MailScanner/Message.pm ... without any success...
# Instead of closing pipe immediately and exiting, rely on p$
# https://github.com/MailScanner/v5/issues/546
#$pipe->close;
#$pipe = undef;
Last edited by machabot on 25 Nov 2021 21:57, edited 1 time in total.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

Looks like dl7 is lagging behind, let me force an rsync...
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

Got confirmation that the issue is not resolved. I have refactored and am implementing a fix for eFa-4.0.4-26. I'll post once it is ready.
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Detected and have disarmed denialofservice tags in HTML message

Post by shawniverson »

eFa-4.0.4-26 released with fix
1an3
Posts: 24
Joined: 07 May 2021 13:05

Re: Detected and have disarmed denialofservice tags in HTML message

Post by 1an3 »

shawniverson wrote: 25 Nov 2021 22:14 eFa-4.0.4-26 released with fix
Thanks v much shawn I will update next week.
machabot
Posts: 9
Joined: 03 Mar 2017 18:32

Re: Detected and have disarmed denialofservice tags in HTML message

Post by machabot »

updagted during the weekend. So far so good. I'll let you know
Post Reply