efa-project.org

i am getting these logged in my maillog:

MailScanner[4953]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 34A10A70.A496E from soandso@foo.com

they are followed by an email tot the recipient stating:

MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/22180/46A402049.AC829/nmsg-22180-2.html

i cannot figure out what the issue is. my platform is CentOS 6.8 using the source install script. everything installed with no error, and 99.99% of emails deliver fine all day.... until the boss gets one of the above. i see this all over google searches, but no one has been able to identify anything definitive.

any advice?

From IRC...

some things to try...
5:05:04 PM spammy 1) check /etc/security/limits.conf and set the following (requires a reboot to take effect)
5:06:26 PM spammy * hard nofile 65535
5:06:35 PM spammy * soft nofile 65535
5:06:44 PM spammy root hard nofile 65535
5:06:52 PM spammy root soft nofile 65535
5:07:48 PM spammy 2) run mailscanner --lint (can run in GUI) and make sure everything looks okay
5:08:37 PM spammy 3) check for sanesecurity sigs in clamav....recent report on mailscanner listserv that this is causing MailScanner to crash
5:08:52 PM spammy also securiteinfo
5:09:40 PM spammy 4) Check memory (this one won't be obvious becuase MailScanner during a mail spike will try to request a large amount of memory from the host)
5:09:54 PM spammy I have had folks increase up to 8GB to resolve similar issues

welp, i was hopeful, but so far no joy.

BTW, maybe it matters or not, i am running on CentOS (vmware) using the build script.

after 24 hours after i made the limits.conf change, i got another "eaten" message.

[root@dlp-upmx01 ~]# cat /var/log/maillog|grep KILLED
Sep 6 18:35:10 dlp-upmx01 MailScanner[32070]: Content Checks: Detected and have disarmed KILLED 13 tags in HTML message in 9EC9A12E6.AA1EC from info@meetup.com

MailScanner --lint looks fine.

memory is plateaued with 75% of memory in use and 0kb of swap in use. system has 4GB.

what about item 3, i am not familiar with this one?

Have any memory you can toss at it? Just to humor me?

Take a look in /var/lib/clamav to see which sigs are installed. You can remove the sisg temporarily and restart clamd. You can also disable clamav-unofficial-sigs by temporarily disabling the cron job in /etc/cron.d.

OK. should i delete the sansecurity file or just relocate it for a while?

done, i bumped it from 6 to 8 process, and from 4 to 8GB of memory. i hope this doesnt fix it... as i have client machines that need to run on just 2 processors, in come cases (i might be able to upgrade it to 4, but this would be a physical thing, as its not a VM).

i am checking from the CentOS server i built, to the OVF templace of the new 3.0.1.3 release.


to remove the Sigs, do you just delete the files in /var/lib/clamav? i not convinced this is a clamav issue, it appears to be related to html content in the email.

Neither am I....I'm still researching. You may have two issues here.