ClamAV only scanning message headers
Glenn Steen
glenn.steen at gmail.com
Thu Oct 15 20:48:15 IST 2009
2009/10/15 Jared Bater <mailscanner_list at phisch.ca>:
> Thanks. I have reviewed the performance tips for MailScanner, and our system
> is extremely well optimized. We can easily push 500K messages/day through
> Mailscanner/Spamassassin, in addition to the several million that we drop at
> the MTA with DNSBLs.
>
Cool.
>
> The problem is that clamdscan does get properly called from
clamdscan? Why on earth don't you use the clamd perl interface? It'd
save you the fork overhead and still give the benefit of clamd (memory
footprint, ease of updating etc).
> /opt/MailScanner/lib/clamav-wrapper (actually, a slightly modified version
> of it to call calmdscan rather than clamscan). The problem is that only the
> message headers make it into my '
> Incoming Work Dir’, which is set to /tmp.
Why? To get some type of tmpfs? Why not make that a subdir, like
/tmp/MSin? Oh well. No matter.
>
> Here's what clamd writes out in its log, which shows that only headers are
> being scanned
> :
> +++ Started at Thu Oct 15 11:15:29 2009
> clamd daemon 0.95.2 (OS: solaris2.8, ARCH: sparc, CPU: sparc)
> Log file size limited to 2097152 bytes.
> Reading databases from /var/opt/csw/clamav/db
> Not loading PUA signatures.
> Loaded 1174218 signatures.
> LOCAL: Unix socket file /tmp/clamd.socket
> LOCAL: Setting connection queue length to 15
> Limits: Global size limit set to 104857600 bytes.
> Limits: File size limit set to 26214400 bytes.
> Limits: Recursion level limit set to 16.
> Limits: Files limit set to 10000.
> Archive support enabled.
> Algorithmic detection enabled.
> Portable Executable support enabled.
> ELF support enabled.
> Mail files support enabled.
> OLE2 support enabled.
> PDF support enabled.
> HTML support enabled.
> Self checking every 600 seconds.
> /tmp/13100/8779FCC5E3.7CB46.header: OK
> /tmp/13100/87806CC5E4.586C4.header: OK
> /tmp/9684/ED86FCC5F6.81C14.header: OK
> /tmp/497/90E90CC5FD.57D06.header: OK
> /tmp/4328/A46FDCC5D7.7A0E6.header: OK
> /tmp/13100/B78E6CC605.48C0A.header: OK
> /tmp/3599/7F3A9CC5B8.8843E.header: OK
> <etc, etc, etc>
>
> What would cause only the headers to be extracted? Is there any way to
> debug MS to figure out what's going wrong with the interaction with
> Clamdscan?
Yeah sure, just futz away at the code:-). Then run it in debug
(MailScanner --debug)... Perhaps do it on a testbed, just in case you
break something;-)
All message headers are extracted to these files, yes, and they should
be cleaned up, sooner or later. If nothing else, it'd be at child
demise:-). There used to be a bug in some rather old version (a few
years back), IIRC, that made these pile up... Had to do with the
entropy added to the queue filename, or more specifically to the "."
swparating the queue file id and the entropy.
What evrsion of MS do you run? Not too old, I hope;). If you use the
debian package from them... it'll be very old, but I don't think even
that could be so old as to display that particular error:-D.
>
> Spamassassin has no troubles at all, by the way.
>
>
> Any help and/or guidance is greatly appreciated.
>
> Jared
>
>
>
>
> #./MailScanner -v
> Running on
> SunOS <snip> sun4v sparc SUNW,SPARC-Enterprise-T5220
> This is Perl version 5.008008 (5.8.8)
>
> This is MailScanner version 4.56.8
Oh. Dear me, do an upgrade ASAP.
This also explains why you're not using the clamd interface... It
simply wasn't present in this old beast.
This particular one is more than three years old. Since Spam/Virus
fighting isn't static in nature (due to the crap morphing
continually), one simply can't use old tools and expect to get the
best from them.
Cheers
--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner
mailing list