MailScanner marks messages as DOS attact

Discussion:

simon

2014-03-22 17:12:18 UTC

Dear All,

I had this issue for sometime but was confused on where actually this
issue was from..
Many a times mails were stop and being marked as denial from service attack
This was mostly from google groups ..

after more investigation i realized the following..

many of the users have subscribed to google groups ..
now when a email is received from a user who belongs to the same group as
our users belong maybe about 15 to 20 messages are marked clean ..
subsequent messages are being marked with RED and the details page shows
denial of service attack.
Also the System becomes very slow as MailScanner consumes the entire CPU
and also the outgoin email takes long time to reach the recipent.

it remains in the incomming queue for a long time.. maybe 10 to 15 min at
times

Now I would like to know any tips and advices as what i could do to make
MailScanner process these mails at a much better rate and there by avoid
MS marking them as DOS attack mails and there by avoiding the whole system
from being slow.

regards

simon

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Mark Sapiro

2014-03-22 17:52:25 UTC

Permalink

Post by simon
after more investigation i realized the following..
many of the users have subscribed to google groups ..
now when a email is received from a user who belongs to the same group as
our users belong maybe about 15 to 20 messages are marked clean ..
subsequent messages are being marked with RED and the details page shows
denial of service attack.
Also the System becomes very slow as MailScanner consumes the entire CPU
and also the outgoin email takes long time to reach the recipent.
it remains in the incomming queue for a long time.. maybe 10 to 15 min at
times

I'm not sure what the underlying issue is in this case, but looking at
the code I think that the DOS attack is raised when one of your virus
scanners times out on a message. You might try looking at logs to see if
you can determine why this happens.

As a workaround, you could establish a "Virus Scanning" ruleset to skip
virus scanning for these messages. See
<http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning>.

--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan

Chris Stone

2014-03-25 17:15:41 UTC

Permalink

I had a similar issue on a server build on CentOS 6 and the latest
MailScanner. Never have found specific messages that cause the problem, but
typically 5-6 times a week, I'd get an alert from our Nagios installation
stating that there were zombie processes on the filtering server. I'd go
look and see MailScanner processing, crashing and looping on messages -
after 6 loops through, putting in the quarantine tagged as DoS message.

So, I tried disabling the Processing Attempts Database by setting:

Maximum Processing Attempts = 0

in MailScanner.conf. I no longer am seeing *any* problem - the crashes have
stopped, the looping has stopped (as expected with disabling), no messages
marked as DoS sources and none quarantined as a result. All appears to be
fine.

So, it kind of looks like something with the Processing Attempts Database
code - although I do use that on a number of other CentOS 4 and CentOS 5
servers without issue.

Chris

Post by Mark Sapiro

I'm not sure what the underlying issue is in this case, but looking at
the code I think that the DOS attack is raised when one of your virus
scanners times out on a message. You might try looking at logs to see if
you can determine why this happens.
As a workaround, you could establish a "Virus Scanning" ruleset to skip
virus scanning for these messages. See
<http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning

Post by simon
.

--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!

--
Chris Stone
AxisInternet, Inc.
www.axint.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140325/d6066bd7/attachment.html

Valentin Laskov

2014-04-22 09:58:25 UTC

Permalink

Hi,

There are some timeouts configured in MailScanner.conf which you may increase.
You can decrease MailScanner child processes too.

Valentin

----- Original Message -----
From: "Chris Stone" <axisml at gmail.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Tuesday, March 25, 2014 8:15 PM
Subject: Re: MailScanner marks messages as DOS attact

|I had a similar issue on a server build on CentOS 6 and the latest
| MailScanner. Never have found specific messages that cause the problem, but
| typically 5-6 times a week, I'd get an alert from our Nagios installation
| stating that there were zombie processes on the filtering server. I'd go
| look and see MailScanner processing, crashing and looping on messages -
| after 6 loops through, putting in the quarantine tagged as DoS message.
|
| So, I tried disabling the Processing Attempts Database by setting:
|
| Maximum Processing Attempts = 0
|
| in MailScanner.conf. I no longer am seeing *any* problem - the crashes have
| stopped, the looping has stopped (as expected with disabling), no messages
| marked as DoS sources and none quarantined as a result. All appears to be
| fine.
|
| So, it kind of looks like something with the Processing Attempts Database
| code - although I do use that on a number of other CentOS 4 and CentOS 5
| servers without issue.
|
|
| Chris
|
|
|
| On Sat, Mar 22, 2014 at 11:52 AM, Mark Sapiro <mark at msapiro.net> wrote:
|
| > On 03/22/2014 10:12 AM, simon at kmun.gov.kw wrote:
| > >
| > > after more investigation i realized the following..
| > >
| > > many of the users have subscribed to google groups ..
| > > now when a email is received from a user who belongs to the same group as
| > > our users belong maybe about 15 to 20 messages are marked clean ..
| > > subsequent messages are being marked with RED and the details page shows
| > > denial of service attack.
| > > Also the System becomes very slow as MailScanner consumes the entire CPU
| > > and also the outgoin email takes long time to reach the recipent.
| > >
| > > it remains in the incomming queue for a long time.. maybe 10 to 15 min at
| > > times
| >
| >
| > I'm not sure what the underlying issue is in this case, but looking at
| > the code I think that the DOS attack is raised when one of your virus
| > scanners times out on a message. You might try looking at logs to see if
| > you can determine why this happens.
| >
| > As a workaround, you could establish a "Virus Scanning" ruleset to skip
| > virus scanning for these messages. See
| > <http://www.mailscanner.info/MailScanner.conf.index.html#Virus%20Scanning
| > >.
| >
| > --
| > Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
| > San Francisco Bay Area, California better use your sense - B. Dylan
| > --
| > MailScanner mailing list
| > mailscanner at lists.mailscanner.info
| > http://lists.mailscanner.info/mailman/listinfo/mailscanner
| >
| > Before posting, read http://wiki.mailscanner.info/posting
| >
| > Support MailScanner development - buy the book off the website!
| >
|
|
|
| --
| Chris Stone
| AxisInternet, Inc.
| www.axint.net
|

--------------------------------------------------------------------------------

| --
| MailScanner mailing list
| mailscanner at lists.mailscanner.info
| http://lists.mailscanner.info/mailman/listinfo/mailscanner
|
| Before posting, read http://wiki.mailscanner.info/posting
|
| Support MailScanner development - buy the book off the website!
|