Clamd and problems with some TNEF attachments.

Scott Silva ssilva at sgvwater.com
Wed Mar 12 18:58:56 GMT 2008 

on 3-11-2008 11:48 PM Jim Barber spake the following:
> Hi all.
> 
> For a long time now I've been using the MailScanner packages as 
> distributed by Debian.
> Recently the maintainer updated the package to use version 4.66.5 of 
> MailScanner (it was previously at 4.58.9).
> This means that I can now take advantage of the ClamAV daemon to do 
> virus scanning instead of invoking clamav for each batch or messages.
> 
> But I am encountering a strange error that occurs for some, but not all 
> TNEF attachments.
> 
> Here is an example of the messages that occur in syslog when processing 
> an email with this problem.
> Note that I've changed the email address in the second line of output:
> 
>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks: Starting
>     Mar 12 13:20:35 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> from 10.128.3.10 (user at ddihealth.com) is whitelisted
>     Mar 12 13:20:35 mail MailScanner[27855]: Spam Checks completed at 
> 83746 bytes per second
>     Mar 12 13:20:36 mail MailScanner[27855]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/27855/1JZIS6-00043a-FQ/winmail.dat
>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> added TNEF contents image001.jpg,image002.jpg
>     Mar 12 13:20:42 mail MailScanner[27855]: Message 1JZIS6-00043a-FQ 
> has had TNEF winmail.dat removed
>     Mar 12 13:20:42 mail MailScanner[27855]: Virus and Content Scanning: 
> Starting
>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
> open file or directory ERROR :: ./1JZIS6-00043a-FQ/mha1BpYaNZ
>     Mar 12 13:20:43 mail MailScanner[27855]: Clamd::ERROR:: Unable to 
> open file or directory ERROR :: ./1JZIS6-00043a-FQ/RRZFcL3LVX
>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Clamd found 
> 2 infections
>     Mar 12 13:20:43 mail MailScanner[27855]: Virus Scanning: Found 2 
> viruses
>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Scanning completed at 
> 7944 bytes per second
>     Mar 12 13:20:44 mail MailScanner[27855]: Uninfected: Delivered 2 
> messages
>     Mar 12 13:20:44 mail MailScanner[27855]: Virus Processing completed 
> at 195783 bytes per second
>     Mar 12 13:20:44 mail MailScanner[27855]: Batch completed at 6458 
> bytes per second (63292 / 9)
> 
> Note that the problem only seems to happen to TNEF attachments where the 
> following log entry occurs:
> 
>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
> eg.
>     MailScanner[$PID]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>     MailScanner[$PID]: Message $MSG_ID added TNEF contents $FILES
>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
> 
> However If I only get the following messages then the virus scan will be 
> fine:
> 
>     MailScanner[$PID]: Expanding TNEF archive at 
> /var/spool/MailScanner/incoming/$PID/$MSG_ID/winmail.dat
>     MailScanner[$PID]: Message $MSG_ID has had TNEF winmail.dat removed
> 
> I have the following TNEF settings in my MailScanner.conf file:
> 
>     Expand TNEF = yes
>     Use TNEF Contents = replace
>     Deliver Unparsable TNEF = no
>     TNEF Expander  = internal
>     TNEF Timeout = 120
> 
> I changed the "TNEF Expander" to be "internal" a long time ago.
> I found that having it set to "/usr/bin/tnef --maxsize=100000000" choked 
> on some messages that the internal one was able to handle.
> 
> The ClamAV daemon is successfully scanning all other emails okay.
> I've only ever seen the problem associated with certain TNEF attachments.
> 
> I've left all clamd settings in the MailScanner.conf at their default 
> settings.
> The clamd virus scanner is found when MailScanner starts as shown in the 
> following log message:
> 
>     Mar 12 11:51:54 mail MailScanner[27855]: I have found clamd scanners 
> installed, and will use them all by default.
> 
> My MailScanner incoming file system is using tmpfs and is shown as 
> follows in 'df' output:
> 
>     tmpfs                   258528       704    257824   1% 
> /var/spool/MailScanner/incoming
> 
> Any ideas what is going wrong?
> 
> Thanks.
Hijacking threads has caused bad karma on your mailserver. Repent, say 10 hail 
Julian's,  and hijack no more!



-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080312/be5ec02f/signature.bin

More information about the MailScanner mailing list