workaround for "file size limit exceeded" messages?

Kevin Spicer kevins at BMRB.CO.UK
Mon Nov 3 18:18:46 GMT 2003 

On Mon, 2003-11-03 at 17:58, Julian Field wrote:

>MailScanner appears to squeal a bit about the error but does trap the
>virus.

Julian, there are definitely problems with MailScanner handling this and
there seems to be some doubt about whether MailScanner really is
stopping this.  I'm also using Sophos (so the viruses are getting
detected anyway).  I'm seeing the following in my logs....

======START-LOG=======
Nov  3 06:49:56 scan MailScanner[16970]: Virus and Content Scanning:
Starting
Nov  3 06:49:57 scan MailScanner[16970]: INFECTED:: W32/Mimail-C::
./hA36nckm028024/photos.zip
Nov  3 06:49:57 scan MailScanner[16970]: Virus Scanning: SophosSAVI
found 1 infections
Nov  3 06:49:57 scan MailScanner[16970]:
/var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip: File
size limit exceeded.
Nov  3 06:49:57 scan MailScanner[16970]: ProcessClamAVOutput:
unrecognised line
"/var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip: File
size limit exceeded.". Please contact the authors!
Nov  3 06:49:57 scan MailScanner[16970]: (raw)
/var/spool/MailScanner/incoming/16970/./hA36nckm028024/photos.zip:
Worm.Mimail.C FOUND
Nov  3 06:49:57 scan MailScanner[16970]: Virus Scanning: ClamAV found 1
infections
Nov  3 06:49:57 scan MailScanner[16970]: Infected message (raw)  came
from
Nov  3 06:49:57 scan MailScanner[16970]: Infected message hA36nckm028024
came from xxx.xxx.xxx.xxx
Nov  3 06:49:57 scan MailScanner[16970]: Virus Scanning: Found 1 viruses
Nov  3 06:49:58 scan MailScanner[16970]: Cleaned: Delivered 1 cleaned
messages
=====END-LOG=======

But the postmaster report looks like this...

=====START-REPORT======
The following e-mail messages were found to have viruses or banned
attachments in them:

    Sender: auser at mydomain.co.uk
IP Address: xxx.xxx.xxx.xxx
 Recipient: another.user at mydomain.co.uk
   Subject: Re[2]: our private photos                 aisaruor
 MessageID: hA36nckm028024
    Report: SophosSAVI: photos.zip was infected by W32/Mimail-C

=====END-REPORT========

No mention of Clam - even though the logs suggest Clam found it.
Anecdotal evidence from other posts here and on the clam listy suggests
that although the logs show clam catching it that it may not be blocking
the mail.  I'm guessing from the logs above that it is failing to match
the output from clam to the message ID hence the '(raw)', but I might be
wide of the mark on that one.
Unfortunately I delete not quarantine so I can't test my theory out.

Kevin




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.

More information about the MailScanner mailing list