Bug, or configuration option I missed?

randyf at sibernet.com randyf at sibernet.com
Sun Jan 7 05:06:11 CET 2007 

On Sat, 6 Jan 2007, Julian Field wrote:

> That's a very interesting one. Can you give me a repeatable setup that will 
> reliably cause this problem?
> What scanner was it that ran into trouble?
> This one is definitely worth further investigation.
>
> Jules.

   The virus scanner is Sophos, and the libraries were on a failing disk, 
such that they could not be loaded for scanning.  I had also configured 
MailScanner to NOT use the SAVI module, so each attempt at virus scanning 
caused the sweep process to dump core.  I suspect it might be able to be 
reproduced by generating a corrupted library and return the configuration 
to use sophos and not sophossavi (and I might experiment a bit).

   The logfiles for a single message from lists.mailscanner.info during 
that time are as follows:

Jan  5 09:07:03 husky sendmail[23558]: [ID 801593 mail.info] l05H6rV4023558: from=<mailscanner-bounces at lists.mailscanner.info>, size=9365, class=-30, nrcpts=1,
msgid=<003201c730ec$10c353c0$1c00a8c0 at pcaharjg2>, proto=ESMTP, daemon=MTA-v4, relay=safir.blacknight.ie [83.98.192.7]

Jan  5 09:09:11 localhost MailScanner[18860]: Message l05H6rV4023558 from 83.98.192.7 (mailscanner-bounces at lists.mailscanner.info) is whitelisted

Jan  5 09:14:29 localhost MailScanner[18860]: Commercial scanner sophos timed out!

Jan  5 09:14:29 localhost MailScanner[18860]: sophos: Failed to complete, timed out

Jan  5 09:14:29 localhost MailScanner[18860]: Virus Scanning: Denial Of Service attack is in message l05H6rV4023558

Jan  5 09:25:43 localhost MailScanner[18860]: Infected message l05H6rV4023558 came from 83.98.192.7

Jan  5 09:25:43 localhost MailScanner[18860]: Viruses marked as silent: Denial of Service attack in message!


   The primary failure was something in the system that has since been 
fixed (corrupted disk where the bad area just happened to be a Sophos 
library), but along the way, a lot of mail was lost (fortunately, a lot of 
spam, and list email that has archives, so there probably isn't anything 
too terribly important that is not obtainable).  It also made me change 
the configuration to quarantine all "viruses", since not much comes my way 
anymore.  So in theory, I won't loose email if I can generate a test 
condition.

   Note, that I also whitelist lists.mailscanner.info, and this message was 
still tossed (even though I didn't actually look at the source, I suspect 
that the "whitelist" is for spam and not viruses).

   If I come up with a test condition that doesn't require bad hardware, I 
will send it on.  BTW, the machine is an x86 opteron running Solaris 10-6/06 
(a.k.a. S10u2) and MailScanner-4.56.8 (a little behind, but not that 
much).

   Thanks, Jules!


RF

>
> randyf at sibernet.com wrote:
>> 
>> 
>> Hi Folks-
>>
>>   I had an interesting failure overnight that effectively was caused by a 
>> corrupted library for the virus scanner.  This caused the virus scanner to 
>> time out in the eyes of MailScanner (and dump a lot of corefiles), and 
>> MailScanner then proceeded to believe that this was a silent virus and toss 
>> it as any of the other silent viruses (MailScanner thought it was a denial 
>> of service attack).
>>
>>   If there isn't a configuration option to deal with this scenario, what 
>> would be better than tossing messages, would have been to quarantine the 
>> messages.  But as in my case, I suspect that other checks in MailScanner 
>> would have caught a possible virus in that flurry, it would have been best 
>> to send the message through the remaining tests, and flag it somehow as not 
>> passing virus scanning.
>>
>>   Is this a bug/feature-request, or did I miss a configuration option to 
>> handle virus scanner failures?
>>
>>   Thanks!
>> 
>> 
>> RF
>
> Jules
>
> -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list