Page 1 of 1

Detected and have disarmed denialofservice tags in HTML message

Posted: 20 Sep 2021 17:52
by uzisuicida
Hello, I have a problem for a few weeks now, MailScanner produces an error with the following message:

Sep 20 11:05:09 ........... MailScanner[8070]: HTML Img tag found in message 4HCqC61ccpz7kC8 from ..... Sep 20 11:05:11 .... MailScanner[8070]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HCqC61ccpz7kC8 from .........

I still can't understand why, nor can I give a solution.

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 21 Sep 2021 11:51
by toth.szabolcs
Hello!

We have also so many similar problems, our users are angry, because we can't find the solution.

Sep 21 12:24:49 sf MailScanner[71686]: <A> tag found in message 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Quarantined message 4HDHbx5SZbzC8D7 as it caused MailScanner to crash several times

Importent emails are go to quarantine, later the users sent again and the same emails are delivered.

Can someone help us?
Best Regards, Szabolcs!

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 23 Sep 2021 12:13
by mfull
Hello,

I have same or similar problem here, we are running eFa4.0.4-18.eFa.el7, and some of our mails with HTML signatures goes to quarantine. We also noticed that this event triggers Mailwatch service to hang, while no new mails are updated in GUI. After 3 or so hours or so, service recover itself.

Full error log:

Code: Select all

Sep 23 11:48:53 mx MailScanner[68287]: New Batch: Scanning 1 messages, 7840 bytes
Sep 23 11:48:53 mx MailScanner[68287]: Virus and Content Scanning: Starting
Sep 23 11:48:53 mx MailScanner[68287]: <A> tag found in message 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:53 mx MailScanner[68287]: Spam Checks: Starting
Sep 23 11:48:54 mx MailScanner[68287]: HTML disarming died, status = 13
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:54 mx MailScanner[68287]: Quarantined message 4HFVjb4vpSz5462m as it caused MailScanner to crash several times
Sep 23 11:48:54 mx MailScanner[68287]: Saved entire message to /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m
Sep 23 11:48:54 mx MailScanner[68287]: Deleted 1 messages from processing-database
Our current solution is to monitor and release quarantined mails is from console (since we don’t see them in Mailwatch GUI) :

Code: Select all

cat /var/log/maillog | grep "disarmed denialofservice tags"
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from ….
And then to release them manuallly :

Code: Select all

/usr/sbin/sendmail.postfix -t  < /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m/message
After that we recover Mailwatch :
Stopping MailScanner service:

Code: Select all

systemctl stop mailscanner
Manually killing hanged Mailscanner process which prevent Mailwatch SQL to start

Code: Select all

kill -9 proccess_pid
And then restarting Mailscanner service again, after that we have only healty processes

Code: Select all

91080 ?        S      0:00 MailWatch SQL
 91082 ?        Ss     0:00 MailScanner: starting children
 91083 ?        S      0:01  \_ MailScanner: waiting for messages
 91239 ?        S      0:01  \_ MailScanner: waiting for messages
 91250 ?        S      0:01  \_ MailScanner: starting children

Hope that this helps, and that fix for this will be provided soon

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 12 Oct 2021 19:36
by machabot
Same here, I had to reboot the server to solve the issue after restarting mailscanner failed. any hint on this issue ?

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 13 Oct 2021 22:46
by shawniverson
Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 14 Oct 2021 16:23
by shawniverson
Someone willing to test this PR?

https://github.com/MailScanner/v5/pull/557

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 24 Nov 2021 14:00
by machabot
I'll give it a try

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 09:28
by 1an3
shawniverson wrote:
13 Oct 2021 22:46
Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?
I'm started seeing more of these entries for 'caused mailscanner to crash several times" this week.

/var/log/maillog-20211117.gz:0
/var/log/maillog-20211118.gz:0
/var/log/maillog-20211119.gz:0
/var/log/maillog-20211120:0
/var/log/maillog-20211121:55
/var/log/maillog-20211122:211
/var/log/maillog-20211123:562
/var/log/maillog-20211124:0
/var/log/maillog-20211125:573


This last week we've handled anywhere between 20-31,000 messages on a working day.

Happy to provide log samples, sample message, if it helps.

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 19:06
by machabot
It Did the same thing this afternoon. No more stats in mailwatch, lots of "denialofservice" in maillog for about 1,5 hours for many html emails. I had something similar yesterday without the mailwatch issue. I tried the patch shawniverson posted last month yesterday. Doesnt seems to fix the issue if its the same problem. Restarting Mailscanner is not enough, I had to reboot the server each time. I tried to send two similar emails last month when it firtst occured. First time, it didn't goes through. Second time, it did. It did not the third time. Well, you understand its kind of random, maybe relted to one child process when the others are fine...
I will change this options to see if it resolves the issue : Ignore Denial Of Service = yes

I can send emails and logs if you want.

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 20:40
by shawniverson
Please let me know if you are still seeing this behavior on eFa-4.0.4-25. I stopped closing the pipe in the child to prevent the case of a double close on the pipe (Signal 13 will happen when the pipe no longer exists, which I'm convinced is happening here). If it is still happening, I will need to set the child to to remain and be closed by the parent only.

To check your release level:

Code: Select all

rpm -qa | grep eFa-4.0.4

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 20:49
by machabot
Fine. I will plan an upgrade tonight. We are still using 4.0.4_18

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 21:41
by machabot
There does'nt seems to have any update available ???? Is there a way to install it manually ?

sudo yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 15 kB 00:00
* base: centos.mirror.ca.planethoster.net
* eFa4: dl7.efa-project.org
* epel: mirror.dst.ca
* extras: centos.mirror.ca.planethoster.net
* updates: centos.mirror.ca.planethoster.net
base | 3.6 kB 00:00
eFa4 | 2.9 kB 00:00
extras | 2.9 kB 00:00
ius | 1.3 kB 00:00
updates | 2.9 kB 00:00
No packages marked for update


"rpm -qa | grep eFa-4.0.4" gives "eFa-4.0.4-18.eFa.el7.noarch"

I already comment those lines yesterday in usr/share/MailScanner/perl/MailScanner/Message.pm ... without any success...
# Instead of closing pipe immediately and exiting, rely on p$
# https://github.com/MailScanner/v5/issues/546
#$pipe->close;
#$pipe = undef;

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 21:54
by shawniverson
Looks like dl7 is lagging behind, let me force an rsync...

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 21:57
by shawniverson
Got confirmation that the issue is not resolved. I have refactored and am implementing a fix for eFa-4.0.4-26. I'll post once it is ready.

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 25 Nov 2021 22:14
by shawniverson
eFa-4.0.4-26 released with fix

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 26 Nov 2021 11:36
by 1an3
shawniverson wrote:
25 Nov 2021 22:14
eFa-4.0.4-26 released with fix
Thanks v much shawn I will update next week.