[Bug 1859011] [NEW] bounce mail processed multiple times -> oom crash of BounceRunner

Michael Menge 1859011 at bugs.launchpad.net
Thu Jan 9 07:23:27 EST 2020

Public bug reported:

System: RHEL 7.7
Mailman: mailman-2.1.15-26.el7_4.1.x86_64

Description: We have 2 Mailinglist with > 7000 Members which trigger a spike in processed bounces (more than 3000 in an sinle run), followed by an Out of Memory situation in the BounceRunner and an > 20 GB bounce-event-XXXX.pck 

We tried to mitigate the problem by increasing the system memory, running the BoucneRunner 
every minute and limiting the number of mails delivered at ounce by postfix.

But it happened again:

Dec 30 19:53:29 2019 (13392) <BounceRunner at 140395473885088>
processing 4134 queued bounces

Dec 30 19:53:59 mx09 kernel: [13392]    41 13392  2755797  1874474    5337   825695             0 python
Dec 30 19:53:59 mx09 kernel: Out of memory: Kill process 13392 (python) score 896 or sacrifice child
Dec 30 19:53:59 mx09 kernel: Killed process 13392 (python), UID 41, total-vm:11023188kB, anon-rss:7497896kB, file-rss:0kB, shmem-rss:0kB

We analyzed the bounce-event file, extracting data with "stings".
This time we extracted the postfix mail queue ids from the received headers 
with our listserver. We found the following:

cat /tmp/bounce-20191230.txt | sed 's/;//' | sort | uniq -c | sort -n

      1 01A7DE9314
      1 10F6AE9319
      1 18456E930E
      1 27D0BAC960
      1 3B51CE9316
      1 57C2DAC992
      1 5D3B2E9310
      1 5EF11E9311
      1 63054E9312
      1 69377E9313
      1 ED636E930F
      2 29884E9315
      2 49ECEAC98D
      2 99A16A9DA7
      2 (Postfix)
      3 59EE1AC995
      3 CEB61AC996
    192 C12E9D3B48
   3929 F2BEEE9318
   4122 CC58AAC993
   4134 6EFD1A9DA7

As the bounces the last 2 qids are from the original mail send to the list (6EFD1A9DA7), 
and one of mails send by mailman to 500 members of that list (CC58AAC993).

(F2BEEE9318 and C12E9D3B48) are both bounces from members that where deliverd only once 
to /usr/lib/mailman/mail/mailman bounces NAME-OF-HUGE-LIST

So from me it seems that somehow some few bounce where "multiplied" so that ~20 real 
bounce produced 4134 virtual bounce. 

I see the potential of a deny of service attack, as it could be used 
to fill up the disk where the bounce-event files get dumped 
But I don't know if this would warrant marking "This bug is a security vulnerability".

** Affects: mailman
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  bounce mail processed multiple times -> oom crash of BounceRunner

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list