Problem with MailScanner, postfix and corrupt mails

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 16 11:27:00 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Steen, Glenn wrote:

>Got one friday... They're extremely rare it seems.
>
>I noticed something a bit curious about it in the logs:
><normal hold headers not included>
>Mar 11 19:25:04 mail postfix/cleanup[9377]: B551923DCC:
>message-id=<522842524315.TIN93887@
>Mar 11 19:25:14 mail MailScanner[5361]: New Batch: Scanning 1 messages,
>9167 bytes
>Mar 11 19:25:16 mail postfix/smtpd[9375]: disconnect from
>82-41-95-49.cable.ubr02.dund.blueyonder.co.uk[82.41.95.49]
>Mar 11 19:25:24 mail MailScanner[5361]: Spam Checks: Found 1 spam
>messages
>Mar 11 19:25:24 mail MailScanner[5361]: Virus and Content Scanning:
>Starting
>Mar 11 19:25:29 mail MailScanner[5361]: Requeue:  to A1CE723DDB
>Mar 11 19:25:29 mail postfix/qmgr[16986]: A1CE723DDB:
>from=<exqnclufhgenp at freemessage.com>, size=18870, nrcpt=1 (queue active)
>Mar 11 19:25:29 mail MailScanner[5361]: Uninfected: Delivered 1 messages
>Mar 11 19:25:29 mail MailScanner[5361]: Logging message B551923DCC.D5385
>to SQL
>
>Note the message ID. Perhaps doesn't matter(?).
>
>
The D5385 on the end is intentional. Postfix re-uses its queue numbers
too quickly, so I have to force them to be unique for processing and
quarantine purposes. Everyone else just ensures that their queue numbers
really are unique, but not Wietse of course....

>Since it is a spam message, I've got both the mangled A1CE723DDB and the
>nonmangled (but decoded, since I run MW) B551923DCC.D5385 ... and the
>SQL/MailWatch logentry for it. If you want it Jules, you can have it
>(off
>list).
>
>
Yes, please send it. It will probably look like the others, but I will
check anyway.

>-- Glenn
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>Sent: den 16 mars 2005 09:53
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Problem with MailScanner, postfix and corrupt mails
>>
>>
>>Thanks for the offer, but I've got plenty of machines which don't show
>>the problem :-)
>>You are running the same configuration as my new test server, and I
>>can't reproduce it either.
>>
>>Thanks anyway.
>>
>>Pete Russell wrote:
>>
>>
>>
>>>HI Jules, am using POstfix 2.1.5 on rhel4 - no problems with postfix
>>>whatsoever. Does it help you to have access to my 3
>>>
>>>
>>machines (and soon
>>
>>
>>>to be 4) that are running this version to inspect/compare etc?
>>>
>>>PLease let me know, would love to help in anyway i can -
>>>
>>>
>>just not sure
>>
>>
>>>if i can :)
>>>
>>>Pete
>>>
>>>
>>>
>>>Robert Waldner wrote:
>>>
>>>
>>>
>>>>On Tue, 15 Mar 2005 17:32:46 GMT, Julian Field writes:
>>>>
>>>>
>>>>
>>>>>There is only 1 statement in the code that print the
>>>>>
>>>>>
>>"PreDataString"
>>
>>
>>>>>which is where this text is put. After writing it (once)
>>>>>
>>>>>
>>it forks off a
>>
>>
>>>>>pipe to print the message body, then prints the
>>>>>
>>>>>
>>"PostDataString". To
>>
>>
>>>>>get
>>>>>2 copies of the PreDataString, something somewhere must
>>>>>
>>>>>
>>duplicate it in
>>
>>
>>>>>the buffers.
>>>>>
>>>>>
>>>><patch>
>>>>
>>>>
>>>>
>>>>>So there are just those 2 "+"-marked lines to add.
>>>>>If this doesn't fix it, then it really is beyond my control. I'm
>>>>>forcing
>>>>>it to flush the buffers absolutely everywhere, none of
>>>>>
>>>>>
>>this should be
>>
>>
>>>>>needed.
>>>>>
>>>>>
>>>>
>>>>Thanks. I'll apply the patch as soon as I get to work.
>>>>
>>>>cheers,
>>>>&rw
>>>>--
>>>>-- sometimes transcode changes or adds new
>>>>-- features while your are encoding.
>>>>--                      - Thomas Oestreich
>>>>
>>>>
>>>>
>>>>------------------------ MailScanner list ------------------------
>>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>'leave mailscanner' in the body of the email.
>>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>>Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>Buy the MailScanner book at www.MailScanner.info/store
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list