Mailscanner child freezes

Jeffrey Haas jeffrey at life.illinois.edu
Fri Nov 14 14:18:29 GMT 2008 

I'm having trouble with a MailScanner child process freezing up.  If
anyone has any suggestions on how to investigate this, I'd be grateful.

On Tuesday, I upgraded a MailScanner/ClamAV installation to the latest
versions hoping to get past the recently announced buffer overflow in
ClamAV.  I installed using the .tgz files for MailScanner &
SpamAssassin/ClamAV on the mailscanner.info.  I configured MailScanner
to use clamd.

Everything went well at the time (as it usually does - thanks Julian!).
  However this morning, I found that MailScanner had stopped processing
mail.  I was in a bit of a panic at the time, so I simply restarted
MailScanner, and some mail started flowing, but then things froze up
again.

I was thinking that there was a message that was gumming up the works
somewhere, so I set in MailScanner.conf:

#Max Unscanned Messages Per Scan = 30
#Max Unsafe Messages Per Scan = 30
Max Unscanned Messages Per Scan = 1
Max Unsafe Messages Per Scan = 1

That kept the good mail from getting tangled up with the bad.

Running 'ps auwx|grep MailScanner', I find:

postfix  31809  0.0  0.4  25616 20088 ?        Ss   17:59   0:00
MailScanner: starting child
postfix  31810 95.1  1.1  50884 47328 ?        R    17:59 333:13
MailScanner: cleaning messages
postfix  21305  0.0  1.2  56152 51988 ?        S    22:02   0:03
MailScanner: waiting for messages
...


Process 31810 picks up a message to clean, but can't complete for some
reason. Inspecting /var/spool/MailScanner/incoming, I can see the
contents of the message.

It is a bounce message from a Mailman list which contains an attachment,
'text.zip'.  I can run clamscan manually on the files extracted from the
message and it reports 'Worm.Mydoom.M FOUND'.

I thought perhaps this was an issue with clamd, since that is a bit new
to me.  (I've used the Mail::ClamAV module for many years.)  So, I
reconfigured to 'Virus Scanners = clamav' to have MailScanner invoke
clamscan.  I still get the same behavior with that.  One child process
grabs the troublesome message, and then stays in the 'cleaning messages'
state indefinitely.  The CPU utilization is 100% for that process.  I've
left it running for about 6 hours now, but there's no change.  I think
my freeze up of the entire server this morning was perhaps, all of the
children (5) getting tied up in this way.

This is an Ubuntu 7.10 system with postfix 2.4.5 & perl 5.8.8 installed
from .deb packages.  I think everything else of importance came from the
.tgz files.

The last messages from process 31810 are:

Nov 13 17:59:17 les MailScanner[31810]: MailScanner E-Mail Virus Scanner
version 4.72.5 starting...
Nov 13 17:59:17 les MailScanner[31810]: SpamAssassin temporary working
directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp
Nov 13 17:59:17 les MailScanner[31810]: Using SpamAssassin results cache
Nov 13 17:59:17 les MailScanner[31810]: Connected to SpamAssassin cache
database
Nov 13 17:59:17 les MailScanner[31810]: Expired 6 records from the
SpamAssassin cache
Nov 13 17:59:18 les MailScanner[31810]: Using locktype = flock
Nov 13 17:59:18 les MailScanner[31810]: New Batch: Found 40 messages
waiting
Nov 13 17:59:18 les MailScanner[31810]: New Batch: Scanning 1 messages,
45362 bytes
Nov 13 17:59:18 les MailScanner[31810]: Spam Checks: Starting
Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from
127.0.0.1 (mailman-bounces at life.illinois.edu) is whitelisted
Nov 13 17:59:18 les MailScanner[31810]: SpamAssassin cache hit for
message 2D5154E85A3.D9D39
Nov 13 17:59:18 les MailScanner[31810]: Message 2D5154E85A3.D9D39 from
127.0.0.1 (mailman-bounces at life.illinois.edu) to uiuc.edu is not spam
(whitelisted), SpamAssassin (cached, score=-1.44, required 6,
autolearn=not spam, ALL_TRUSTED -1.44)
Nov 13 17:59:18 les MailScanner[31810]: Filename Checks: Possible MS-Dos
program shortcut attack (2D5154E85A3.D9D39 text.htm
                                                   .pif)
Nov 13 17:59:18 les MailScanner[31810]: Filetype Checks: No executables
(2D5154E85A3.D9D39 text.htm
                           .pif)
Nov 13 17:59:18 les MailScanner[31810]: Other Checks: Found 2 problems
Nov 13 17:59:18 les MailScanner[31810]: Virus and Content Scanning:
Starting
Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39.message:
Worm.Mydoom.M FOUND
Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text1.zip:
Worm.Mydoom.M FOUND
Nov 13 17:59:19 les MailScanner[31810]:
./2D5154E85A3.D9D39/text.htm.pif: Worm.Mydoom.M FOUND
Nov 13 17:59:19 les MailScanner[31810]: ./2D5154E85A3.D9D39/text.zip:
Worm.Mydoom.M FOUND
Nov 13 17:59:20 les MailScanner[31810]: Virus Scanning: ClamAV found 4
infections

Any ideas how to prevent this from happening?  Thanks for any suggestions.

----------------------------------------------------------------------
Jeffrey Haas
Director - Office of Information Technology
Life Sciences - University of Illinois at Urbana-Champaign
----------------------------------------------------------------------

More information about the MailScanner mailing list