Clamd and problems with some TNEF attachments.

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 12 08:45:20 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What MTA are you using?
What are your "Run As" settings?

Jim Barber wrote:
> Hi all.
>
> For a long time now I've been using the MailScanner packages as 
> distributed by Debian.
> Recently the maintainer updated the package to use version 4.66.5 of 
> MailScanner (it was previously at 4.58.9).
> This means that I can now take advantage of the ClamAV daemon to do 
> virus scanning instead of invoking clamav for each batch or messages.
>
> But I am encountering a strange error that occurs for some, but not 
> all TNEF attachments.
>
> Here is an example of the messages that occur in syslog when 
> processing an email with this problem.
> Note that I've changed the email address in the second line of output:
>
>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks: Starting
>     Mar 12 13:20:35 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> from 10.128.3.10 (user at ddihealth.com) is whitelisted
>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks completed at 
> 83746 bytes per second
>     Mar 12 13:20:36 mail MailScanner[27855]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/27855/1JZIS6-00043a-FQ/winmail.dat
>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> added TNEF contents image001.jpg,image002.jpg
>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> has had TNEF winmail.dat removed
>     Mar 12 13:20:42 mail MailScanner[27855]: Virus and Content 
> Scanning: Starting
>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
> open file or directory ERROR :: ./1JZIS6-00043a-FQ/mha1BpYaNZ
>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
> open file or directory ERROR :: ./1JZIS6-00043a-FQ/RRZFcL3LVX
>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Clamd 
> found 2 infections
>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Found 2 
> viruses
>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Scanning completed 
> at 7944 bytes per second
>     Mar 12 13:20:44 mail MailScanner[27855]: Uninfected: Delivered 2 
> messages
>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Processing 
> completed at 195783 bytes per second
>     Mar 12 13:20:44 mail MailScanner[27855]: Batch completed at 6458 
> bytes per second (63292 / 9)
>
> Note that the problem only seems to happen to TNEF attachments where 
> the following log entry occurs:
>
>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
> eg.
>     MailScanner[$PID]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
>
> However If I only get the following messages then the virus scan will 
> be fine:
>
>     MailScanner[$PID]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
>
> I have the following TNEF settings in my MailScanner.conf file:
>
>     Expand TNEF = yes
>     Use TNEF Contents = replace
>     Deliver Unparsable TNEF = no
>     TNEF Expander  = internal
>     TNEF Timeout = 120
>
> I changed the "TNEF Expander" to be "internal" a long time ago.
> I found that having it set to "/usr/bin/tnef --maxsize=100000000" 
> choked on some messages that the internal one was able to handle.
>
> The ClamAV daemon is successfully scanning all other emails okay.
> I've only ever seen the problem associated with certain TNEF attachments.
>
> I've left all clamd settings in the MailScanner.conf at their default 
> settings.
> The clamd virus scanner is found when MailScanner starts as shown in 
> the following log message:
>
>     Mar 12 11:51:54 mail MailScanner[27855]: I have found clamd 
> scanners installed, and will use them all by default.
>
> My MailScanner incoming file system is using tmpfs and is shown as 
> follows in 'df' output:
>
>     tmpfs                   258528       704    257824   1% 
> /var/spool/MailScanner/incoming
>
> Any ideas what is going wrong?
>
> Thanks.
>
> ----------
> Jim Barber
> DDI Health

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.1 (Build 2523)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFH15ghEfZZRxQVtlQRAiMPAJ9C7iJL68BNUtzNBPJqgJcnaOTQ8gCgmEoV
YLFG3CTI017N/dHO4i7+h08=
=4OLt
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list