mail scanner stuck

Jim Holland mailscanner at mango.zw
Tue Apr 18 22:21:29 IST 2006 

On Tue, 18 Apr 2006, Eduardo Casarero wrote:

> jim, i´ve the messages but i just substracted them from the mqueu.in.
> Sizes goes from 400Kb to 7Mb. Aparently they are compressed PPT Power
> Point Presentations. how can i open that mail if i have the
> qfk3HFIQcc008169 and dfk3HFIQcc008169 In the bacht that failed there was
> 1 email only, i chaged parameters so mailscanner takes 1 by 1 so i found
> this 4 problematic mails.

If you are happy to just release the message, then stop MailScanner (if
you want to avoid possible error messages), move both of the above files
into /var/spool/mqueue, and then restart MailScanner.

If you want to scan the message manually, then as far as I know you have 
to convert the above back into a single message file.  I do that the hard 
way:

	cat qfk3HFIQcc008169 dfk3HFIQcc008169 > msg.tmp
	edit the headers in msg.tmp:
	   Delete all lines up to but not including the first Received: line
	   Delete all H?? entries at the beginning of lines
	   Delete the . on the line at the end of the headers.

You can then scan the message.

Your comment about the files being compressed PPT Power Point Presentations 
is also very interesting, as PPT files were also amongst the problem 
messages that I came across.
 
> 2006/4/18, Jim Holland <mailscanner at mango.zw>:
> >
> > Hi Martin
> >
> > On Tue, 18 Apr 2006, Martin Hepworth wrote:
> >
> > > I'd look at why the clamavmodule is timing out - does clamscan work OK
> > > from the command line????
> >
> > On my system I am not running clamavmodule - just plain clamav.  The error
> > message below was on the system being run by Eduardo Casarero.
> >
> > > RH 7.1 is really really old
> >
> > Soon to be upgraded to Debian Sarge :-)
> >
> > > so it could be problems with either clamAV or the perl module not
> > > working with 7.1.
> >
> > > What happens if you change from the module to the normal clamav scanner
> > > in MailScanner.conf?
> >
> > See above.
> >
> > > > -----Original Message-----
> > > > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> > > > bounces at lists.mailscanner.info] On Behalf Of Jim Holland
> > > > Sent: 17 April 2006 22:41
> > > > To: MailScanner discussion
> > > > Subject: Re: mail scanner stuck
> > > >
> > > > On Mon, 17 Apr 2006, Eduardo Casarero wrote:
> > > >
> > > > > Date: Mon, 17 Apr 2006 17:33:54 -0300
> > > > > From: Eduardo Casarero <ecasarero at gmail.com>
> > > > > Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info
> > >
> > > > > To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> > > > > Subject: Re: mail scanner stuck
> > > > >
> > > > > hi, after doing some investigation i found the following:
> > > > > with 4 particular emails:
> > > >
> > > > > in /var/log/maillog:
> > > >
> > > > Apr 17 16:54:22 avas2 MailScanner[4150]: Virus and Content Scanning:
> > > > Starting
> > > > Apr 17 16:59:23 avas2 MailScanner[4150]: Commercial scanner
> > clamavmodule
> > > > timed out!
> > > > Apr 17 16:59:23 avas2 MailScanner[4150]: Virus Scanning: Denial Of
> > Service
> > > > attack detected!
> > > >
> > --------------------------------------------------------------------------
> > > > ---
> > > > > After this last log message the mail scanner rescan of the same
> > email
> > > > > looping. This was logged with 1 child runnig (just for debuggin, in
> > > > > normal operation runs 6 childs)
> > > >
> > > > . . .
> > > >
> > > > > After this i really don´t know what to do. Cause Clamav is the only
> > AV
> > > > > on the system and MScanner has a Timeout for AV of 300 segs an
> > clamav
> > > > takes
> > > > > only 37.24 seg. so MScanner cant see that clamav finished or
> > something
> > > > > is missing.
> > > >
> > > > . . .
> > > >
> > > > This seems to be very similar to the problem I wrote about earlier
> > this
> > > > evening in:
> > > >
> > > >     Subject: Solved? Re: Still stuck in queue, version 4.52.2
> > > >
> > > > I would be very interested to know:
> > > >
> > > >     The size of the message
> > > >
> > > >     What files it contained
> > > >
> > > >     Whether the files were compressed, and if so
> > > >     what was the uncompressed file size
> > > >
> > > >     How many messages were in the batch that failed?
> > > >
> > > > Clearly if the message is one of say 30 in a batch then it is going to
> > be
> > > > easier for ClamAV to time out on the batch than if there was only one
> > in
> > > > the batch.  My understanding is that the timeout setting applies to
> > the
> > > > whole batch and not to a single message.
> > > >
> > > > As indicated in my message, I have changed the default for:
> > > >
> > > >     Virus Scanner Timeout =
> > > >
> > > > in MailScanner.conf from 300 to 600 seconds to try to avoid this kind
> > of
> > > > problem.
> > > >
> > > > Regards
> > > >
> > > > Jim Holland
> > > > System Administrator
> > > > MANGO - Zimbabwe's non-profit e-mail service
> > > >
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > >
> > > > Before posting, read http://wiki.mailscanner.info/posting
> > > >
> > > > Support MailScanner development - buy the book off the website!
> > >
> > >
> > > **********************************************************************
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual or entity to whom they
> > > are addressed. If you have received this email in error please notify
> > > the system manager.
> > >
> > > This footnote confirms that this email message has been swept
> > > for the presence of computer viruses and is believed to be clean.
> > >
> > > **********************************************************************
> > >
> > >
> >
> > Regards
> >
> > Jim Holland
> > System Administrator
> > MANGO - Zimbabwe's non-profit e-mail service
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> 

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list