Error with EMTPY_MESSAGE
Glenn Steen
glenn.steen at gmail.com
Sat Sep 13 22:26:10 IST 2008
2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Glenn Steen wrote:
>> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Glenn Steen wrote:
>>>> 2008/9/13 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Hugo van der Kooij wrote:
>>>>>> Hi,
>>>>>>
>>>>>> It seems to me that SA is flagging just about any message as EMPTY_MESSAGE.
>>>>>>
>>>>>> Is anyone else seeing this too?
>>>>> I just had quite a bit of a discussion about malware that just walks
>>>>> past MailScanner with multiple AV scanners active.
>>>>>
>>>>> It seems that it might be related to postfix. Where MailScanner is
>>>>> trying to decode postfix queue files but not doing the right thing.
>>>>>
>>>>> My result on 3 sample queue files was 0% through MailScanner. But
>>>>> decoding them with postcat allowed me to hit 100% of the files.
>>>>>
>>>>> So the issue may require all postfix users to look very carefully into
>>>>> their messages and the ability to scan them properly.
>>>>>
>>>>> Hugo.
>>>>>
>>>> Can I get a sample, please? Send it off-list.
>>>> Do you do milters? Which milters? Version of postfix?
>>> I use postfix 2.3.2 as it is the normal shipped package for Centos 5.
>>>
>>> Hugo.
>>>
>> Just to give a little update:
>>
>> I've received queue files from Jules and Alex B. I've fed these
>> through both a testbed and our current production .... And they simply
>> worked as expected(!)... The zip-file they included got unpacked
>> nicely, the filename _and_ filetype got it into the quarantine, as
>> well as all my AVs firing like mad:-).
>> This was on a Mandriva 2008.1 running perl 5.10.0 with MailScanner
>> 4.71.10 ... latest stable and beta are essentially the same, so ...
>>
>> I'm leaning toward this being related to CentOS 5.2, possibly the
>> relevant perl modules.
>
> It seems you are using the perl interface to ClamAV and not clamd or
> anything else. That would at least have an impact on how things are
> called and how they are parsed in part.
Nope. I've just got the Mail::ClamAV module installed;-)... I'm using
clamd, and am very happy about it too;).
Actually, I tend to install _all_ the optional modules, regardless if
I use them or not. Sure, a maintenance overhead, but then ... they're
there when/if I decide to use a function that actually need 'em.
>> Further than that is pretty hard for me to check, since I cannot
>> reproduce the problem.
>
> If you can setup a Centos 5 virtual machine you could give it a spin.
> See if it is something obvious we are all overlooking.
I've been in shortly on Alex testbed... Nothing exactly stood out...
Apart from not working, it looked fine:-).
Did you get the "fixlet" Jules gave me and Alex? Seems to be
innefectual for Alex.
then again... Jules removed the mailscanner rpm, reinstalled it (via
rpm -Uvh) and copied in his MailScanner.conf ... and that seemed to
"cure" it for him. Which seems like a very very odd thing indeed.
What happens if you do similarly? (remember to save a copy of
/etc/MailScanner first;-).
> Hugo.
>
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list