All messages quarantined on Trustix 2.0/MS 4.25-14

Stephen Lee splee at PLEXIO.COM
Wed Jan 7 00:01:56 GMT 2004


I noticed that sweep is called as follows:

/usr/local/Sophos/bin/sweep -sc -f -all -rec  ss -archive -loopback
--no-follow-symlinks --no-reset-atime -TNEF .

Note that the "ss" switch is not prefaced with "-". Is this a syntax
error and does it make a difference as to whether sweep will scan the
message?

Stephen


On Mon, 2004-01-05 at 08:26, Stephen Lee wrote:
> Anything else I should check into?
>
> Thanks,
> Stephen
>
> On Sun, 2004-01-04 at 08:24, Stephen Lee wrote:
> > That was my first guess but the permissions suggest that it shouldn't be
> > the problem.
> >
> > drwxrwxr--    5 exim     exim         4096 Jan  4 08:12 exim/
> > drwxrwxr--    4 exim     exim         4096 Jan  4 08:12 exim_incoming/
> >
> > All subdirectories have the same permissions. I even su'd to exim and
> > was able to created/deleted files in those directories. Setting them to
> > 777 made no difference. Here's a piece of the exim log:
> >
> >  2004-01-04 08:22:21 exim 4.24 daemon started: pid=22334, no queue runs,
> > listening for SMTP on port 25 (IPv4)
> > 2004-01-04 08:22:21 cwd=/ 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q15m
> > 2004-01-04 08:22:21 exim 4.24 daemon started: pid=22337, -q15m, not
> > listening for SMTP
> > 2004-01-04 08:22:21 cwd=/var/spool/exim 4 args: /usr/local/bin/exim -C
> > /usr/local/etc/exim_outgoing.conf -q
> > 2004-01-04 08:22:21 Start queue run: pid=22338
> > 2004-01-04 08:22:21 End queue run: pid=22338
> > 2004-01-04 08:22:24 cwd=/var/spool/MailScanner/incoming/22356 5 args:
> > /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf -Mc
> > 1AdB0M-0005ni-Nz
> > 2004-01-04 08:22:24 1AdB0M-0005ni-Nz Spool file 1AdB0M-0005ni-Nz-D not
> > found
> > 2004-01-04 08:22:24 1AdB1E-0005ol-7f <= postmaster at ugw.united.private
> > U=exim P=local S=762
> >
> > Stephen
> >
> > On Sun, 2004-01-04 at 04:20, Julian Field wrote:
> > > Check the permissions on your Exim queue directories. For some reason it is
> > > failing to analyse the message at all.
> > >
> > > At 09:14 04/01/2004, you wrote:
> > > >I have a Trustix 2.0 box with MailScanner 4.25-14 (tarball) /Sophos
> > > >3.77/Exim 4.24/Fetchmail-6.2.5. I've followed the MS instructions for
> > > >installing MS manually from a tar file and configured Exim to use
> > > >separate incoming and outgoing queues. Exim appears to receive incoming
> > > >messages and MS picks them up. The problem is that MS takes all messages
> > > >and marks them as infected and places them in quarantine. The following
> > > >message is generated:
> > > >
> > > >  Jan  4 00:45:25 ugw MailScanner[14308]: New Batch: Scanning 1 messages,
> > > >1068 bytes
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Spam Checks: Starting
> > > >Jan  4 00:45:25 ugw MailScanner[14308]: Virus and Content Scanning:
> > > >Starting
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Saved entire message to
> > > >/var/spool/MailScanner/quarantine/20040104/1Ad3lV-0003hp-62
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Cleaned: Delivered 1 cleaned
> > > >messages
> > > >Jan  4 00:45:27 ugw MailScanner[14308]: Notices: Warned about 1 messages
> > > >
> > > >The warning message contains:
> > > >
> > > >Received: from exim by ugw.united.private with local (Exim 4.24)
> > > >         id 1Ad3t1-0003ix-R3
> > > >         for postmaster at ugw.united.private; Sun, 04 Jan 2004 00:45:27 -0800
> > > >From: "MailScanner-UGW" <postmaster at ugw.united.private>
> > > >To: postmaster at ugw.united.private
> > > >Subject: Warning: E-mail viruses detected
> > > >Message-Id: <E1Ad3t1-0003ix-R3 at ugw.united.private>
> > > >Date: Sun, 04 Jan 2004 00:45:27 -0800
> > > >
> > > >The following e-mail messages were found to have viruses in them:
> > > >
> > > >     Sender: postmaster at ugw.united.private
> > > >IP Address: 127.0.0.1
> > > >  Recipient: postmaster at ugw.united.private
> > > >    Subject:  Warning: E-mail viruses detected
> > > >  MessageID: 1Ad3lV-0003hp-62
> > > >     Report: MailScanner: Could not analyze message
> > > >
> > > >
> > > >--
> > > >MailScanner
> > > >Email Virus Scanner
> > > >www.mailscanner.info
> > > >
> > > >
> > > >
> > > >Each warning message spawns another warning message and in short order
> > > >the quarantine directory fills-up.
> > > >
> > > >"ps ax" indicates Sophos sweep is active when "Virus Scanners = sophos"
> > > >is set and sweep is not active when set to "Virus Scanners = none".
> > > >However, in both cases the same warning message (ie. detected virus) is
> > > >generated.
> > > >
> > > >Here are some of the pertinent settings in
> > > >/opt/MailScanner/etc/MailScanner.conf:
> > > >
> > > >Run As User = exim
> > > >Run As Group = exim
> > > >Incoming Queue Dir = /var/spool/exim_incoming/input
> > > >Outgoing Queue Dir = /var/spool/exim/input
> > > >Quarantine Dir = /var/spool/MailScanner/quarantine
> > > >MTA = exim
> > > >Sendmail = /usr/local/bin/exim
> > > >Sendmail2 = /usr/local/bin/exim -C /usr/local/etc/exim_outgoing.conf
> > > >Virus Scanners = sophos
> > > >Quarantine Infections = yes
> > > >Quarantine Whole Message = yes
> > > >Quarantine Whole Messages As Queue Files = no
> > > >Spam Checks = yes
> > > >Use SpamAssassin = no
> > > >Split Exim Spool = no
> > > >
> > > >/etc/sysconfig/MailScanner looks like this:
> > > >
> > > >MTA=exim
> > > >EXIM=/usr/local/bin/exim
> > > >EXIMINCF=/usr/local/etc/exim.conf         # Incoming configuration file
> > > >EXIMSENDCF=/usr/local/etc/exim_outgoing.conf  # Outgoing configuration
> > > >file
> > > >
> > > >The following perl modules were downloaded, compiled and installed with
> > > >no issues:
> > > >
> > > >Convert-TNEF-0.17
> > > >File-Spec-0.82
> > > >File-Temp-0.14
> > > >HTML-Parser-3.26
> > > >HTML-Tagset-3.03
> > > >IO-stringy-2.108
> > > >MIME-Base64-2.12
> > > >MIME-tools-5.411 (patched version)
> > > >MailTools-1.50
> > > >Net-CIDR-0.09
> > > >
> > > >
> > > >Any suggestions on what next or diagnostics you need?
> > > >
> > > >Thanks and Happy New Year!
> > > >Stephen
> > >
> > > --
> > > Julian Field
> > > www.MailScanner.info
> > > Professional Support Services at www.MailScanner.biz
> > > MailScanner thanks transtec Computers for their support
> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list