ClamAV sends infected attachments

Mister PO misterpo at IFRANCE.COM
Wed Sep 29 14:16:58 IST 2004


Hi,

I have just upgraded postfix to release 2.1.5.

"input attribute" stuff has disappeared but postfix crashes with a
postfix/postfix-script: fatal: the Postfix mail system is already running
message....

I have no zombie postfix process...

Here is My MailScanner.conf file :

Max Children = 5
Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 5
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
Incoming Work Dir = /var/spool/MailScanner/incoming
Quarantine Dir = /var/spool/MailScanner/quarantine
PID file = /var/run/MailScanner.pid
Restart Every = 14400
MTA = postfix
Sendmail = /usr/sbin/sendmail
Sendmail2 = /usr/sbin/sendmail
Incoming Work User = postfix
Incoming Work Group = postfix
Quarantine User =
Quarantine Group =
Quarantine Permissions = 0640
Max Unscanned Bytes Per Scan = 1000000000
Max Unsafe Bytes Per Scan = 500000000
Max Unscanned Messages Per Scan = 30
Max Unsafe Messages Per Scan = 30
Max Normal Queue Size = 800
Maximum Attachments Per Message = 200
Expand TNEF = yes
Deliver Unparsable TNEF = yes
TNEF Expander = /usr/bin/tnef
TNEF Timeout = 240
File Command = /usr/bin/file
File Timeout = 200
Maximum Message Size = 0
Maximum Attachment Size = 5242880
Maximum Archive Depth = 3
Find Archives By Content = yes
Virus Scanning = yes
Virus Scanners = clamav
Virus Scanner Timeout = 1800
Deliver Disinfected Files = no
Silent Viruses =  HTML-IFrame
Still Deliver Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/
Block Encrypted Messages = no
Block Unencrypted Messages = no
Allow Password-Protected Archives = yes
Monitors for ClamAV Updates = /usr/local/clamav/share/clamav/*.cvd
Dangerous Content Scanning = yes
Allow Partial Messages = no
Allow External Message Bodies = no
Allow IFrame Tags = no
Log IFrame Tags = no
Allow Form Tags = yes
Allow Script Tags = yes
Allow WebBugs = yes
Allow Object Codebase Tags = no
Convert Dangerous HTML To Text = no
Filename Rules = %etc-dir%/filename.rules.conf
Filetype Rules = %etc-dir%/filetype.rules.conf
Quarantine Infections = no
Quarantine Silent Viruses = no
Quarantine Whole Message = no
Quarantine Whole Messages As Queue Files = no
Language Strings = %report-dir%/languages.conf
Hide Incoming Work Dir = yes
Include Scanner Name In Reports = no

Any idea ?


>On Wed, September 29, 2004 9:32, Mister PO said:
>> Hell all,
>>
>> I am unsing MailScanner 4.32.5.1, clamAV 0.5 and spamassassin 2.63 with
>> postfix 2.0.18 on a RedHat 9 linux box.
>
>As has been mentioned before ClamAV is very old!
>>
>> My setup looks to work except that clamAV detects viruses but MailScanner
>> requeues the message with the infected attachment.
>>
>> Nothins is appended to the message header and body. Here is a sample of
my
>> mailog file :
>>
>> Sep 29 10:26:16 mx postfix/cleanup[19778]: 6FD6964122: message-
>> id=<415A72AC.5000207 at alpha-mos.com>
>> Sep 29 10:26:17 mx MailScanner[18917]: New Batch: Scanning 1 messages,
>> 2012
>> bytes
>> Sep 29 10:26:17 mx MailScanner[18917]: Spam Checks: Starting
>> Sep 29 10:26:16 mx postfix/smtpd[19790]: input attribute name: status
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute value: 0
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: public/cleanup socket: wanted
>> attribute: reason
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute name: reason
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute value: (end)
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: public/cleanup socket: wanted
>> attribute: (list terminator)
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: input attribute name: (end)
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: > unknown[192.168.1.10]: 250 Ok:
>> queued as 6FD6964122
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: watchdog_pat: 0x8076808
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: smtp_get: EOF
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: disconnect from unknown
>> [192.168.1.10]
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: master_notify: status 1
>> Sep 29 10:26:17 mx postfix/smtpd[19790]: connection closed
>> Sep 29 10:26:18 mx postfix/smtpd[19790]: watchdog_stop: 0x8076808
>> Sep 29 10:26:18 mx postfix/smtpd[19790]: watchdog_start: 0x8076808
>
>From here I would suggest that Postfix looks very ill. The watchdog
>kicking in is the Postfix self preservation timer killing a hung process.
>Have you been having any error mail messages from Postfix? I'm not sure
>which attribute it's missing but as Postfix is also quite old, I would
>suggest upgrading to 2.1.x as that is the current stable, which should
>also fix this issue.
>
>> Sep 29 10:26:20 mx MailScanner[18917]: Virus and Content Scanning:
>> Starting
>> Sep 29 10:26:25 mx MailScanner
>> [18917]:
>> /usr/var/spool/MailScanner/incoming/18917/./6FD6964122/8ball.a.zip:
>>  Gen.8ball.a FOUND
>> Sep 29 10:26:25 mx MailScanner[18917]: Virus Scanning: ClamAV found 1
>> infections
>> Sep 29 10:26:25 mx MailScanner[18917]: Virus Scanning: Found 1 viruses
>> Sep 29 10:26:25 mx MailScanner[18917]: Requeue: 6FD6964122 to 3963664126
>>
>
>Check your path to the MailScanner work directory for sym links as this
>will have this effect (E.g. /tmp being /usr/tmp)
>
>HTH
>
>Drew
>
>
>--
>In line with our policy, this message has
>been scanned for viruses and dangerous
>content by MailScanner, and is believed to be clean.
>www.themarshalls.co.uk/policy
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list