Error with EMTPY_MESSAGE
Hugo van der Kooij
hvdkooij at vanderkooij.org
Sat Sep 13 22:06:02 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Glenn Steen wrote:
> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Glenn Steen wrote:
>>> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> Hugo van der Kooij wrote:
>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE.
>>>>> Is anyone else seeing this too?
>>>> I just had quite a bit of a discussion about malware that just walks
>>>> past MailScanner with multiple AV scanners active.
>>>> It seems that it might be related to postfix. Where MailScanner is
>>>> trying to decode postfix queue files but not doing the right thing.
>>>> My result on 3 sample queue files was 0% through MailScanner. But
>>>> decoding them with postcat allowed me to hit 100% of the files.
>>>> So the issue may require all postfix users to look very carefully into
>>>> their messages and the ability to scan them properly.
>>> Can I get a sample, please? Send it off-list.
>>> Do you do milters? Which milters? Version of postfix?
>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5.
> Just to give a little update:
> I've received queue files from Jules and Alex B. I've fed these
> through both a testbed and our current production .... And they simply
> worked as expected(!)... The zip-file they included got unpacked
> nicely, the filename _and_ filetype got it into the quarantine, as
> well as all my AVs firing like mad:-).
> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner
> 4.71.10 ... latest stable and beta are essentially the same, so ...
> I'm leaning toward this being related to CentOS 5.2, possibly the
> relevant perl modules.
It seems you are using the perl interface to ClamAV and not clamd or
anything else. That would at least have an impact on how things are
called and how they are parsed in part.
> Further than that is pretty hard for me to check, since I cannot
> reproduce the problem.
If you can setup a Centos 5 virtual machine you could give it a spin.
See if it is something obvious we are all overlooking.
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the MailScanner