Page 1 of 1

Detected and have disarmed denialofservice tags in HTML message

Posted: 20 Sep 2021 17:52
by uzisuicida
Hello, I have a problem for a few weeks now, MailScanner produces an error with the following message:

Sep 20 11:05:09 ........... MailScanner[8070]: HTML Img tag found in message 4HCqC61ccpz7kC8 from ..... Sep 20 11:05:11 .... MailScanner[8070]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HCqC61ccpz7kC8 from .........

I still can't understand why, nor can I give a solution.

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 21 Sep 2021 11:51
by toth.szabolcs
Hello!

We have also so many similar problems, our users are angry, because we can't find the solution.

Sep 21 12:24:49 sf MailScanner[71686]: <A> tag found in message 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HDHbx5SZbzC8D7 from xy
Sep 21 12:24:53 sf MailScanner[71686]: Quarantined message 4HDHbx5SZbzC8D7 as it caused MailScanner to crash several times

Importent emails are go to quarantine, later the users sent again and the same emails are delivered.

Can someone help us?
Best Regards, Szabolcs!

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 23 Sep 2021 12:13
by mfull
Hello,

I have same or similar problem here, we are running eFa4.0.4-18.eFa.el7, and some of our mails with HTML signatures goes to quarantine. We also noticed that this event triggers Mailwatch service to hang, while no new mails are updated in GUI. After 3 or so hours or so, service recover itself.

Full error log:

Code: Select all

Sep 23 11:48:53 mx MailScanner[68287]: New Batch: Scanning 1 messages, 7840 bytes
Sep 23 11:48:53 mx MailScanner[68287]: Virus and Content Scanning: Starting
Sep 23 11:48:53 mx MailScanner[68287]: <A> tag found in message 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:53 mx MailScanner[68287]: Spam Checks: Starting
Sep 23 11:48:54 mx MailScanner[68287]: HTML disarming died, status = 13
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from xxxxx@xxxx.xx
Sep 23 11:48:54 mx MailScanner[68287]: Quarantined message 4HFVjb4vpSz5462m as it caused MailScanner to crash several times
Sep 23 11:48:54 mx MailScanner[68287]: Saved entire message to /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m
Sep 23 11:48:54 mx MailScanner[68287]: Deleted 1 messages from processing-database
Our current solution is to monitor and release quarantined mails is from console (since we don’t see them in Mailwatch GUI) :

Code: Select all

cat /var/log/maillog | grep "disarmed denialofservice tags"
Sep 23 11:48:54 mx MailScanner[68287]: Content Checks: Detected and have disarmed denialofservice tags in HTML message in 4HFVjb4vpSz5462m from ….
And then to release them manuallly :

Code: Select all

/usr/sbin/sendmail.postfix -t  < /var/spool/MailScanner/quarantine/20210923/4HFVjb4vpSz5462m/message
After that we recover Mailwatch :
Stopping MailScanner service:

Code: Select all

systemctl stop mailscanner
Manually killing hanged Mailscanner process which prevent Mailwatch SQL to start

Code: Select all

kill -9 proccess_pid
And then restarting Mailscanner service again, after that we have only healty processes

Code: Select all

91080 ?        S      0:00 MailWatch SQL
 91082 ?        Ss     0:00 MailScanner: starting children
 91083 ?        S      0:01  \_ MailScanner: waiting for messages
 91239 ?        S      0:01  \_ MailScanner: waiting for messages
 91250 ?        S      0:01  \_ MailScanner: starting children

Hope that this helps, and that fix for this will be provided soon

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 12 Oct 2021 19:36
by machabot
Same here, I had to reboot the server to solve the issue after restarting mailscanner failed. any hint on this issue ?

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 13 Oct 2021 22:46
by shawniverson
Possible workaround for this crude detection of DOS:

/etc/MailScanner/MailScanner.conf

Code: Select all

Ignore Denial Of Service = yes
This doesn't solve the problem but it does keep messages from getting quarantined. As for getting to the root cause, can anyone determine if any thing else stands out in any logs. Signal 13 is basically a permission denied from the kernel to created the fork and pipe. How busy are these systems that are affected?

Re: Detected and have disarmed denialofservice tags in HTML message

Posted: 14 Oct 2021 16:23
by shawniverson
Someone willing to test this PR?

https://github.com/MailScanner/v5/pull/557