Error with EMTPY_MESSAGE

Hugo van der Kooij hvdkooij at vanderkooij.org
Sun Sep 14 15:32:31 IST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Glenn Steen wrote:
> 2008/9/14 Hugo van der Kooij <hvdkooij at vanderkooij.org>:
>> That way we can find a set of sample queue files to work on and the
>> difference might tell us why it does not work all the time.
> 
> On my systems it did just work, with or without debug code. With Alex
> "bad" files.

There is an odd thing. I got no AV warning on the sample. Neither im
MailWatch nor in /var/log/maillog.

But if I go to the quarantine directory and scan the spam message file
there I get a hit from ClamAV.

The message in the quarantine looks like the genuine article. Malware
and all. Just like I woule see from the postcat output.

So at that point does the handling of the file differ between the
interception and the storage of the file in the quarantine directry.

The log for that batch (1 message):

ep 14 10:11:58 balin MailScanner[21808]: New Batch: Scanning 1 messages,
48313 bytes
Sep 14 10:11:58 balin MailScanner[21808]: Spam Checks: Starting
Sep 14 10:12:00 balin MailScanner[21808]: RBL checks: 52D0E1008122.AE735
found in spamhaus-ZEN
Sep 14 10:12:00 balin dovecot: pop3-login: Aborted login:
rip=::ffff:84.244.132.155, lip=::ffff:84.244.132.155, TLS
Sep 14 10:12:01 balin postfix/smtpd[21795]: connect from
arwen.waakhond.net[80.69.95.182]
Sep 14 10:12:01 balin postfix/smtpd[21795]: disconnect from
arwen.waakhond.net[80.69.95.182]
Sep 14 10:12:04 balin postfix/smtpd[21795]: connect from
unknown[194.151.25.153]
Sep 14 10:12:04 balin MailScanner[21808]: Message 52D0E1008122.AE735
from 213.211.146.118 (yes1 at erac.com) to sambar.ch is spam, spamhaus-ZEN,
SpamAssassin (not cached, score=13.837, required 3, BAYES_99 3.50,
FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, RCVD_IN_SORBS_DUL
0.88, RCVD_IN_XBL 3.03, RDNS_NONE 0.10, TVD_RCVD_IP 1.93)
Sep 14 10:12:04 balin MailScanner[21808]: Spam Checks: Found 1 spam messages
Sep 14 10:12:04 balin MailScanner[21808]: Spam Actions: message
52D0E1008122.AE735 actions are spam at barracuda.com,store,forward
Sep 14 10:12:05 balin MailScanner[21808]: Virus and Content Scanning:
Starting
Sep 14 10:12:05 balin postfix/cleanup[21802]: 22A0417E9219:
message-id=<20080914081205.22A0417E9219 at balin.waakhond.net>
Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219:
from=<postmaster at vanderkooij.org>, size=273, nrcpt=1 (queue active)
Sep 14 10:12:05 balin postfix/local[21803]: 22A0417E9219:
to=<loopback at loopback.waakhond.net>, relay=local, delay=0.34,
delays=0.24/0/0/0.1, dsn=2.0.0, status=deliverable (delivers to command:
/usr/bin/procmail -Y)
Sep 14 10:12:05 balin postfix/qmgr[21777]: 22A0417E9219: removed
Sep 14 10:12:06 balin postfix/smtpd[22123]: connect from
imss.berk.nl[194.122.140.1]
Sep 14 10:12:07 balin postfix/smtpd[22123]: C25A617E9219:
client=imss.berk.nl[194.122.140.1]
Sep 14 10:12:07 balin postfix/cleanup[21802]: C25A617E9219:
message-id=<194.122.140.4.1221379925 at balin.waakhond.net>
Sep 14 10:12:08 balin postfix/qmgr[21777]: C25A617E9219:
from=<postmaster at waakhond.net>, size=2049, nrcpt=1 (queue active)
Sep 14 10:12:08 balin postfix/smtpd[22123]: disconnect from
imss.berk.nl[194.122.140.1]
Sep 14 10:12:09 balin postfix/local[21803]: C25A617E9219:
to=<loopback at loopback.waakhond.net>, relay=local, delay=2.6,
delays=1.3/0/0/1.3, dsn=2.0.0, status=sent (delivered to command:
/usr/bin/procmail -Y)
Sep 14 10:12:09 balin postfix/qmgr[21777]: C25A617E9219: removed
Sep 14 10:12:12 balin postfix/smtpd[21795]: BD0F817E9219:
client=unknown[194.151.25.153]
Sep 14 10:12:12 balin postfix/cleanup[21802]: BD0F817E9219:
message-id=<194.151.25.153.1221379924 at balin.waakhond.net>
Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219:
from=<postmaster at waakhond.net>, size=1266, nrcpt=1 (queue active)
Sep 14 10:12:12 balin postfix/smtpd[21795]: disconnect from
unknown[194.151.25.153]
Sep 14 10:12:12 balin postfix/local[21803]: BD0F817E9219:
to=<loopback at loopback.waakhond.net>, relay=local, delay=7.7,
delays=7.7/0/0/0.01, dsn=2.0.0, status=sent (delivered to command:
/usr/bin/procmail -Y)
Sep 14 10:12:12 balin postfix/qmgr[21777]: BD0F817E9219: removed
Sep 14 10:12:13 balin MailScanner[21808]: Requeue: 52D0E1008122.AE735 to
DC1CC17E9219
Sep 14 10:12:13 balin postfix/qmgr[21777]: DC1CC17E9219:
from=<yes1 at erac.com>, size=48252, nrcpt=1 (queue active)
Sep 14 10:12:13 balin MailScanner[21808]: Uninfected: Delivered 1 messages
Sep 14 10:12:13 balin MailScanner[21808]: Logging message
52D0E1008122.AE735 to SQL
Sep 14 10:12:15 balin postfix/smtp[22176]: DC1CC17E9219:
to=<spam at barracuda.com>,
relay=barracuda2.barracuda.com[216.129.105.115]:25, delay=154983,
delays=154980/0.01/0.99/1.7, dsn=2.0.0, status=sent (250 Ok: queued as
C6B224ACCE6)
Sep 14 10:12:15 balin postfix/qmgr[21777]: DC1CC17E9219: removed


There are 2 message logged which did not go through MailScanner during
the handling of this message. But that is how I designed this server and
should not worry anyone.

Hugo.

- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIzSB8BvzDRVjxmYERAp3NAJ4zLFDgAzjnS9ci5Z9G/kIXXiyYKACeKCyB
zJ6zFCo9sTuX+AcLy8jTaec=
=XAri
-----END PGP SIGNATURE-----

More information about the MailScanner mailing list