Public bug reported:
System: RHEL 7.7
Mailman: mailman-2.1.15-26.el7_4.1.x86_64
Description: We have 2 Mailinglist with > 7000 Members which trigger a spike in
processed bounces (more than 3000 in an sinle run), followed by an Out of
Memory situation in the BounceRunner and an > 20 GB bounce-event-XXXX.pck
file.
We tried to mitigate the problem by increasing the system memory, running the
BoucneRunner
every minute and limiting the number of mails delivered at ounce by postfix.
But it happened again:
Dec 30 19:53:29 2019 (13392) <BounceRunner at 140395473885088>
processing 4134 queued bounces
...
Dec 30 19:53:59 mx09 kernel: [13392] 41 13392 2755797 1874474 5337
825695 0 python
...
Dec 30 19:53:59 mx09 kernel: Out of memory: Kill process 13392 (python) score
896 or sacrifice child
Dec 30 19:53:59 mx09 kernel: Killed process 13392 (python), UID 41,
total-vm:11023188kB, anon-rss:7497896kB, file-rss:0kB, shmem-rss:0kB
We analyzed the bounce-event file, extracting data with "stings".
This time we extracted the postfix mail queue ids from the received headers
with our listserver. We found the following:
cat /tmp/bounce-20191230.txt | sed 's/;//' | sort | uniq -c | sort -n
1 01A7DE9314
1 10F6AE9319
1 18456E930E
1 27D0BAC960
1 3B51CE9316
1 57C2DAC992
1 5D3B2E9310
1 5EF11E9311
1 63054E9312
1 69377E9313
1 ED636E930F
2 29884E9315
2 49ECEAC98D
2 99A16A9DA7
2 (Postfix)
3 59EE1AC995
3 CEB61AC996
192 C12E9D3B48
3929 F2BEEE9318
4122 CC58AAC993
4134 6EFD1A9DA7
As the bounces the last 2 qids are from the original mail send to the list
(6EFD1A9DA7),
and one of mails send by mailman to 500 members of that list (CC58AAC993).
(F2BEEE9318 and C12E9D3B48) are both bounces from members that where deliverd
only once
to /usr/lib/mailman/mail/mailman bounces NAME-OF-HUGE-LIST
So from me it seems that somehow some few bounce where "multiplied" so that ~20
real
bounce produced 4134 virtual bounce.
I see the potential of a deny of service attack, as it could be used
to fill up the disk where the bounce-event files get dumped
But I don't know if this would warrant marking "This bug is a security
vulnerability".
** Affects: mailman
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1859011
Title:
bounce mail processed multiple times -> oom crash of BounceRunner
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1859011/+subscriptions
_______________________________________________
Mailman-coders mailing list
[email protected]
https://mail.python.org/mailman/listinfo/mailman-coders
