Virus still being picked up an hour later
Dhawal Doshy
dhawal at netmagicsolutions.com
Thu Jan 19 09:09:30 GMT 2006
Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 19 Jan 2006, at 03:17, Jeff Mills wrote:
>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of
>>> Dhawal
>>> Doshy
>>> Sent: Thursday, 19 January 2006 2:00 PM
>>> To: MailScanner discussion
>>> Subject: Re: Virus still being picked up an hour later
>>>
>>> This is precisely what i have been unsuccessfully trying to
>>> convey all
>>> evening to Julian.. somehow no else seemed to be in this situation..
>>>
>>> Here's what i observed.. all files (even legit ones) continue to be
>>> lying in the MailScanner incoming directory (within their
>>> respective PID
>>> directory) and do NOT get deleted post batch processing.. as a result
>>> MailScanner keeps on checking them again and again..
>>>
>>> I am at a loss to take it any forward, since i haven't slept
>>> all night
>>> long trying to figure out the reason.. :-(
>>>
>>> - dhawal
>>>
>> I hadnt noticed mine scanning clean messages again, but you could
>> be right.
>> When I check my incoming dir for that process, there are alot of
>> directories in there - all dated today, and all with a time after I
>> first saw this problem.
>> So maybe once this problem rears its head, no more mail processed
>> by this process gets deleted?
>
> Right, I understand the symptom now. What configuration option do you
> think is causing it? What MTA are you using?
>
> Have you run MailScanner in debug mode to see what it prints when
> this happens?
Postfix 2.2.5, here's the mailscanner extract from a debug batch
Jan 19 08:41:41 mx2 MailScanner[16198]: MailScanner E-Mail Virus Scanner
version 4.50.9 starting...
Jan 19 08:41:41 mx2 MailScanner[16198]: Read 697 hostnames from the
phishing whitelist
Jan 19 08:41:41 mx2 MailScanner[16198]: Config: calling custom init
function SQLBlacklist
Jan 19 08:41:41 mx2 MailScanner[16198]: Starting up SQL Blacklist
Jan 19 08:41:41 mx2 MailScanner[16198]: Read 109 blacklist entries
Jan 19 08:41:41 mx2 MailScanner[16198]: Config: calling custom init
function MailWatchLogging
Jan 19 08:41:41 mx2 MailScanner[16198]: Started SQL Logging child
Jan 19 08:41:41 mx2 MailScanner[16198]: Config: calling custom init
function SQLWhitelist
Jan 19 08:41:41 mx2 MailScanner[16198]: Starting up SQL Whitelist
Jan 19 08:41:41 mx2 MailScanner[16198]: Read 36 whitelist entries
Jan 19 08:41:41 mx2 MailScanner[16198]: Using SpamAssassin results cache
Jan 19 08:41:41 mx2 MailScanner[16198]: Connected to SpamAssassin cache
database
Jan 19 08:41:42 mx2 MailScanner[16198]: Expired 81 records from the
SpamAssassin cache
Jan 19 08:41:48 mx2 MailScanner[16198]: lock.pl sees Config LockType =
flock
Jan 19 08:41:48 mx2 MailScanner[16198]: lock.pl sees have_module = 0
Jan 19 08:41:48 mx2 MailScanner[16198]: Using locktype = flock
Jan 19 08:41:48 mx2 MailScanner[16198]: New Batch: Scanning 9 messages,
562949 bytes
Jan 19 08:41:48 mx2 MailScanner[16198]: Created attachment dirs for 9
messages
Jan 19 08:41:48 mx2 MailScanner[16198]: MCP Checks completed at
1200396157 bytes per second
Jan 19 08:41:48 mx2 MailScanner[16198]: Spam Checks: Starting
Jan 19 08:41:48 mx2 MailScanner[16198]: SpamAssassin cache hit for
message 18962288609.B799A
Jan 19 08:41:48 mx2 MailScanner[16198]: Message 18962288609.B799A from
221.160.246.58 (floydmcgowanwb at mindspring.com) to xxx.com is spam,
SpamAssassin (score=16.037, required 5, BAYES_99 4.00,
DATE_IN_FUTURE_12_24 3.03, DCC_CHECK 2.17, MIME_BASE64_TEXT 0.30,
SARE_OBFU_NUMS3a 0.97, SARE_OBFU_NUMS3b 1.28, SARE_OBFU_NUMS3c 1.26,
SARE_OBFU_NUMS3d 1.37, SARE_RECV_IP_061052 1.67)
Jan 19 08:41:48 mx2 MailScanner[16198]: SpamAssassin cache hit for
message E91632885B3.39157
Jan 19 08:41:48 mx2 MailScanner[16198]: SpamAssassin cache hit for
message C4A1A2885BE.E137B
Jan 19 08:41:48 mx2 MailScanner[16198]: Message C4A1A2885BE.E137B from
219.156.95.47 (rufusm.bradleylp at jhaweb.com) to xxxx.com is spam,
SpamAssassin (score=16.037, required 5, BAYES_99 4.00,
DATE_IN_FUTURE_12_24 3.03, DCC_CHECK 2.17, MIME_BASE64_TEXT 0.30,
SARE_OBFU_NUMS3a 0.97, SARE_OBFU_NUMS3b 1.28, SARE_OBFU_NUMS3c 1.26,
SARE_OBFU_NUMS3d 1.37, SARE_RECV_IP_061052 1.67)
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin returned 0
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin cache hit for
message 6211A2885D1.3EBEA
Jan 19 08:41:52 mx2 MailScanner[16198]: Message 6211A2885D1.3EBEA from
59.19.19.120 (wilmacassidyua at knsacs.com) to xxxx.com is spam,
SpamAssassin (score=16.037, required 5, BAYES_99 4.00,
DATE_IN_FUTURE_12_24 3.03, DCC_CHECK 2.17, MIME_BASE64_TEXT 0.30,
SARE_OBFU_NUMS3a 0.97, SARE_OBFU_NUMS3b 1.28, SARE_OBFU_NUMS3c 1.26,
SARE_OBFU_NUMS3d 1.37, SARE_RECV_IP_061052 1.67)
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin cache hit for
message 796AD28860B.B2A37
Jan 19 08:41:52 mx2 MailScanner[16198]: Message 796AD28860B.B2A37 from
222.132.40.221 (forresttr at execpc.com) to xxxx.com is spam, SpamAssassin
(score=16.037, required 5, BAYES_99 4.00, DATE_IN_FUTURE_12_24 3.03,
DCC_CHECK 2.17, MIME_BASE64_TEXT 0.30, SARE_OBFU_NUMS3a 0.97,
SARE_OBFU_NUMS3b 1.28, SARE_OBFU_NUMS3c 1.26, SARE_OBFU_NUMS3d 1.37,
SARE_RECV_IP_061052 1.67)
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin cache hit for
message E7B612885B2.605FA
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin cache hit for
message 986B62885B5.DE050
Jan 19 08:41:52 mx2 MailScanner[16198]: SpamAssassin cache hit for
message 1B89C2885D0.D3F07
Jan 19 08:41:52 mx2 MailScanner[16198]: Message 1B89C2885D0.D3F07 from
219.135.96.106 (c.contrerasek at larsonengineering.com) to xxxx.com is
spam, SpamAssassin (score=16.037, required 5, BAYES_99 4.00,
DATE_IN_FUTURE_12_24 3.03, DCC_CHECK 2.17, MIME_BASE64_TEXT 0.30,
SARE_OBFU_NUMS3a 0.97, SARE_OBFU_NUMS3b 1.28, SARE_OBFU_NUMS3c 1.26,
SARE_OBFU_NUMS3d 1.37, SARE_RECV_IP_061052 1.67)
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Checks: Found 5 spam messages
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Actions: message
18962288609.B799A actions are store
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Actions: message
C4A1A2885BE.E137B actions are store
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Actions: message
6211A2885D1.3EBEA actions are store
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Actions: message
796AD28860B.B2A37 actions are store
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Actions: message
1B89C2885D0.D3F07 actions are store
Jan 19 08:41:52 mx2 MailScanner[16198]: Spam Checks completed at 130236
bytes per second
Jan 19 08:41:52 mx2 MailScanner[16198]: Virus and Content Scanning: Starting
Jan 19 08:41:52 mx2 MailScanner[16198]: Commencing scanning by
clamavmodule...
Jan 19 08:41:53 mx2 MailScanner[16198]: Completed scanning by clamavmodule
Jan 19 08:41:53 mx2 MailScanner[16198]: Commencing scanning by mcafee...
Jan 19 08:41:53 mx2 MailScanner[16198]: Completed scanning by mcafee
Jan 19 08:41:53 mx2 MailScanner[16198]: Commencing scanning by
bitdefender...
Jan 19 08:41:54 mx2 MailScanner[16198]: Completed scanning by bitdefender
Jan 19 08:41:54 mx2 MailScanner[16198]: Virus Scanning completed at
256145 bytes per second
Jan 19 08:41:54 mx2 MailScanner[16198]: Requeue: E91632885B3.39157 to
32306288198
Jan 19 08:41:54 mx2 MailScanner[16198]: Requeue: F16ED28805B.F2283 to
65296288199
Jan 19 08:41:54 mx2 MailScanner[16198]: Requeue: E7B612885B2.605FA to
90C9428805B
Jan 19 08:41:55 mx2 MailScanner[16198]: Requeue: 986B62885B5.DE050 to
31B6128819A
Jan 19 08:41:55 mx2 MailScanner[16198]: About to deliver 4 messages
Jan 19 08:41:55 mx2 MailScanner[16198]: Uninfected: Delivered 4 messages
Jan 19 08:41:55 mx2 MailScanner[16198]: Virus Processing completed at
2172893 bytes per second
Jan 19 08:41:55 mx2 MailScanner[16198]: Disinfection completed at
-411448806 bytes per second
Jan 19 08:41:55 mx2 MailScanner[16198]: Batch completed at 82503 bytes
per second (562949 / 6)
Jan 19 08:41:55 mx2 MailScanner[16198]: Batch processed in 6.82 seconds
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
18962288609.B799A to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
E91632885B3.39157 to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
C4A1A2885BE.E137B to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
F16ED28805B.F2283 to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
6211A2885D1.3EBEA to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
796AD28860B.B2A37 to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
E7B612885B2.605FA to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
986B62885B5.DE050 to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: Logging message
1B89C2885D0.D3F07 to SQL
Jan 19 08:41:55 mx2 MailScanner[16198]: "Always Looked Up Last" took
0.01 seconds
Jan 19 08:41:55 mx2 MailScanner[16198]: Config: calling custom end
function SQLBlacklist
Jan 19 08:41:55 mx2 MailScanner[16198]: Closing down by-domain spam
blacklist
Jan 19 08:41:55 mx2 MailScanner[16198]: Config: calling custom end
function MailWatchLogging
Jan 19 08:41:55 mx2 MailScanner[16198]: Config: calling custom end
function SQLWhitelist
Jan 19 08:41:55 mx2 MailScanner[16198]: Closing down by-domain spam
whitelist
Jan 19 08:41:55 mx2 MailScanner[16198]: MailScanner child dying of old age
Jan 19 08:41:55 mx2 MailScanner[16209]: 18962288609.B799A: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: E91632885B3.39157: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: C4A1A2885BE.E137B: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: F16ED28805B.F2283: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: 6211A2885D1.3EBEA: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: 796AD28860B.B2A37: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: E7B612885B2.605FA: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: 986B62885B5.DE050: Logged to
MailWatch SQL
Jan 19 08:41:55 mx2 MailScanner[16209]: 1B89C2885D0.D3F07: Logged to
MailWatch SQL
Also here's the output of "mailscanner -v"
[root at mx2 MailScanner]# MailScanner -v
Running on
Linux mx2.netmagicians.com 2.6.9-22.0.1.ELsmp #1 SMP Thu Oct 27 13:14:25
CDT 2005 i686 i686 i386 GNU/Linux
This is CentOS release 4.2 (Final)
This is Perl version 5.008005 (5.8.5)
This is MailScanner version 4.50.9
Module versions are:
1.00 AnyDBM_File
1.14 Archive::Zip
1.03 Carp
1.119 Convert::BinHex
1.00 DirHandle
1.05 Fcntl
2.73 File::Basename
2.08 File::Copy
2.01 FileHandle
1.06 File::Path
0.14 File::Temp
1.29 HTML::Entities
3.45 HTML::Parser
2.30 HTML::TokeParser
1.21 IO
1.10 IO::File
1.123 IO::Pipe
1.71 Mail::Header
3.05 MIME::Base64
5.419 MIME::Decoder
5.419 MIME::Decoder::UU
5.419 MIME::Head
5.419 MIME::Parser
3.03 MIME::QuotedPrint
5.419 MIME::Tools
0.10 Net::CIDR
1.08 POSIX
1.77 Socket
0.08 Sys::Syslog
1.86 Time::HiRes
1.02 Time::localtime
Optional module versions are:
0.17 Convert::TNEF
1.809 DB_File
1.11 DBD::SQLite
1.50 DBI
1.08 Digest
1.01 Digest::HMAC
2.33 Digest::MD5
2.10 Digest::SHA1
0.44 Inline
0.17 Mail::ClamAV
3.000004 Mail::SpamAssassin
1.997 Mail::SPF::Query
0.15 Net::CIDR::Lite
0.23 Net::DNS
0.31 Net::LDAP
1.94 Parse::RecDescent
missing SAVI
1.2 Sys::Hostname::Long
2.42 Test::Harness
0.47 Test::Simple
1.95 Text::Balanced
1.35 URI
More information about the MailScanner
mailing list