mail scanner stuck

Eduardo Casarero ecasarero at gmail.com
Mon Apr 17 21:33:54 IST 2006 

hi, after doing some investigation i found the following:
with 4 particular emails:

in /var/log/maillog:

pr 17 16:53:44 avas2 MailScanner[4150]: MailScanner E-Mail Virus Scanner
version 4.51.6 starting...
Apr 17 16:53:44 avas2 MailScanner[4150]: Read 711 hostnames from the
phishing whitelist
Apr 17 16:53:44 avas2 MailScanner[4150]: Using SpamAssassin results cache
Apr 17 16:53:44 avas2 MailScanner[4150]: Connected to SpamAssassin cache
database
Apr 17 16:53:44 avas2 MailScanner[4150]: Enabling SpamAssassin
auto-whitelist functionality...
Apr 17 16:54:21 avas2 MailScanner[4150]: Using locktype = posix
Apr 17 16:54:21 avas2 MailScanner[4150]: Creating hardcoded struct_flock
subroutine for linux (Linux-type)
Apr 17 16:54:21 avas2 MailScanner[4150]: New Batch: Scanning 1 messages,
364000 bytes
Apr 17 16:54:21 avas2 MailScanner[4150]: MCP Checks completed at -1783903718
bytes per second
Apr 17 16:54:21 avas2 MailScanner[4150]: Spam Checks: Starting
Apr 17 16:54:22 avas2 MailScanner[4150]: SpamAssassin cache hit for message
k3HFIQcc008169
Apr 17 16:54:22 avas2 MailScanner[4150]: Message k3HFIQcc008169 from
200.218.209.99 (marcia.leon at bcb.gov.br) to fgv.br is não spam, SpamAssassin
(escore=-2.352, requerido 6, AWL 0.25, BAYES_00 -2.60, HTML_MESSAGE 0.00)
Apr 17 16:54:22 avas2 MailScanner[4150]: Spam Checks completed at 269382
bytes per second
Apr 17 16:54:22 avas2 MailScanner[4150]: Virus and Content Scanning:
Starting
Apr 17 16:59:23 avas2 MailScanner[4150]: Commercial scanner clamavmodule
timed out!
Apr 17 16:59:23 avas2 MailScanner[4150]: Virus Scanning: Denial Of Service
attack detected!
-----------------------------------------------------------------------------
After this last log message the mail scanner rescan of the same email
looping. This was logged with 1 child runnig (just for debuggin, in normal
operation runs 6 childs)

then i try to run clamavscan on this "particular message" with the debug
flag and this was de result:
-----------------------------------------------------------------------------
root at avas2:/var/spool/mqueue.in# clamscan --debug -v dfk3HFIQcc008169
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = af6f7d14ff7c607dd442d8b518e7b554
LibClamAV debug: Decoded signature: af6f7d14ff7c607dd442d8b518e7b554
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/COPYING
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/main.db
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/main.hdb
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/main.ndb
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/main.zmd
LibClamAV debug: Unpacking /tmp/clamav-24b7fe37b6a16d7b/main.fp
LibClamAV debug: Loading databases from /tmp/clamav-24b7fe37b6a16d7b
LibClamAV debug: Loading /tmp/clamav-24b7fe37b6a16d7b/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-24b7fe37b6a16d7b/main.fp
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-24b7fe37b6a16d7b/main.hdb
LibClamAV debug: Loading /tmp/clamav-24b7fe37b6a16d7b/main.ndb
LibClamAV debug: Loading /tmp/clamav-24b7fe37b6a16d7b/main.zmd
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 919754b49d62e8bc2465270dd99b6944
LibClamAV debug: Decoded signature: 919754b49d62e8bc2465270dd99b6944
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-b20ba7c25fc57272/COPYING
LibClamAV debug: Unpacking /tmp/clamav-b20ba7c25fc57272/daily.db
LibClamAV debug: Unpacking /tmp/clamav-b20ba7c25fc57272/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-b20ba7c25fc57272/daily.ndb
LibClamAV debug: Unpacking /tmp/clamav-b20ba7c25fc57272/daily.fp
LibClamAV debug: Loading databases from /tmp/clamav-b20ba7c25fc57272
LibClamAV debug: Loading /tmp/clamav-b20ba7c25fc57272/daily.hdb
LibClamAV debug: Loading /tmp/clamav-b20ba7c25fc57272/daily.ndb
LibClamAV debug: Loading /tmp/clamav-b20ba7c25fc57272/daily.db
LibClamAV debug: Loading /tmp/clamav-b20ba7c25fc57272/daily.fp
Scanning dfk3HFIQcc008169
LibClamAV debug: Matched signature for file type: HTML data
LibClamAV debug: Calculated MD5 checksum: 1a8ec3f6655a32e80eee147206ee9a94
LibClamAV debug: in cli_scanhtml()
LibClamAV debug: mmap'ed file
LibClamAV debug: Calculated MD5 checksum: a85ea84ad9580f56bef690ea3b729c00
LibClamAV debug: Calculated MD5 checksum: caef61e795b054fbf60a100aa0332b73
LibClamAV debug: Calculated MD5 checksum: d41d8cd98f00b204e9800998ecf8427e
dfk3HFIQcc008169: OK

----------- SCAN SUMMARY -----------
Known viruses: 51003
Engine version: 0.88.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.03 MB
Time: 37.247 sec (0 m 37 s)
-----------------------------------------------------------------------------

After this i really don´t know what to do. Cause Clamav is the only AV on
the system and MScanner has a Timeout for AV of 300 segs an clamav takes
only 37.24 seg. so MScanner cant see that clamav finished or something is
missing.

Should i send this particular emails to julian?

PD: this is the conf. of the server
Slackware 10.2 kernel 2.6 MailScanner 4.51.6 clamav, spammasassin, razor,
dcc

Pentium IV - 3.2Ghz /800HT 775P Intel;
Mother board P4 ABIT NI8-SLI/LGA/NVIDIA;
4096Mb RAM DDR2/533 Kingston;
Winchester 160.2Gb - 7200 rpm SERIAL ATA Barracuda;
video PCI Express X300 Radion 256Mb;
network 10/100/1000;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060417/269e64ca/attachment.html

More information about the MailScanner mailing list