ClamAV sends infected attachments

Drew Marshall drew at THEMARSHALLS.CO.UK
Wed Sep 29 13:03:15 IST 2004


On Wed, September 29, 2004 9:32, Mister PO said:
> Hell all,
>
> I am unsing MailScanner 4.32.5.1, clamAV 0.5 and spamassassin 2.63 with
> postfix 2.0.18 on a RedHat 9 linux box.

As has been mentioned before ClamAV is very old!
>
> My setup looks to work except that clamAV detects viruses but MailScanner
> requeues the message with the infected attachment.
>
> Nothins is appended to the message header and body. Here is a sample of my
> mailog file :
>
> Sep 29 10:26:16 mx postfix/cleanup[19778]: 6FD6964122: message-
> id=<415A72AC.5000207 at alpha-mos.com>
> Sep 29 10:26:17 mx MailScanner[18917]: New Batch: Scanning 1 messages,
> 2012
> bytes
> Sep 29 10:26:17 mx MailScanner[18917]: Spam Checks: Starting
> Sep 29 10:26:16 mx postfix/smtpd[19790]: input attribute name: status
> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute value: 0
> Sep 29 10:26:17 mx postfix/smtpd[19790]: public/cleanup socket: wanted
> attribute: reason
> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute name: reason
> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute value: (end)
> Sep 29 10:26:17 mx postfix/smtpd[19790]: public/cleanup socket: wanted
> attribute: (list terminator)
> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute name: (end)
> Sep 29 10:26:17 mx postfix/smtpd[19790]: > unknown[192.168.1.10]: 250 Ok:
> queued as 6FD6964122
> Sep 29 10:26:17 mx postfix/smtpd[19790]: watchdog_pat: 0x8076808
> Sep 29 10:26:17 mx postfix/smtpd[19790]: smtp_get: EOF
> Sep 29 10:26:17 mx postfix/smtpd[19790]: disconnect from unknown
> [192.168.1.10]
> Sep 29 10:26:17 mx postfix/smtpd[19790]: master_notify: status 1
> Sep 29 10:26:17 mx postfix/smtpd[19790]: connection closed
> Sep 29 10:26:18 mx postfix/smtpd[19790]: watchdog_stop: 0x8076808
> Sep 29 10:26:18 mx postfix/smtpd[19790]: watchdog_start: 0x8076808

Received: From here I would suggest that Postfix looks very ill. The watchdog
kicking in is the Postfix self preservation timer killing a hung process.
Have you been having any error mail messages from Postfix? I'm not sure
which attribute it's missing but as Postfix is also quite old, I would
suggest upgrading to 2.1.x as that is the current stable, which should
also fix this issue.

> Sep 29 10:26:20 mx MailScanner[18917]: Virus and Content Scanning:
> Starting
> Sep 29 10:26:25 mx MailScanner
> [18917]:
> /usr/var/spool/MailScanner/incoming/18917/./6FD6964122/8ball.a.zip:
>  Gen.8ball.a FOUND
> Sep 29 10:26:25 mx MailScanner[18917]: Virus Scanning: ClamAV found 1
> infections
> Sep 29 10:26:25 mx MailScanner[18917]: Virus Scanning: Found 1 viruses
> Sep 29 10:26:25 mx MailScanner[18917]: Requeue: 6FD6964122 to 3963664126
>

Check your path to the MailScanner work directory for sym links as this
will have this effect (E.g. /tmp being /usr/tmp)

HTH

Drew


--
In line with our policy, this message has
been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list