Apple iWork document cause mailscanner to crash

Curu Wong prinbra at gmail.com
Mon Dec 6 07:48:06 GMT 2010 

I run ms in debug mode, and get this output:
---------------------------------------------------------------------------------------------------------------------------------------------
Insecure dependency in chmod while running with -T switch at
/usr/share/perl5/Archive/Zip/Member.pm line 490.
---------------------------------------------------------------------------------------------------------------------------------------------

This is the famous perl tainting problem. I foud a patch for the perl module
Archive::Zip v 1.30 on https://rt.cpan.org/Public/Bug/Display.html?id=61930.
In fact, not only the .pages document can cause my ms to crash, all other
zip archive will cause the crash without applying this patch.  here my Perl
version is v5.10.1.

2010/12/6 Curu Wong <prinbra at gmail.com>

> One of our clients send us an email containing an Apple iWork file( with a
> .pages suffix) as attachment, which caused MailScanner crashed several
> times.  After then ,I extract that .pages attachment, and send it using
> another email, It cause MailScanner crash again. So I believe it's the
> attachment that caused MailScanner to die.
> Can anyone please give a hand on fixing this? Or, is there a way to debug
> MailScanner so that I can know what it is doing when it crash? Many thanks!
>
> here is the message from maillog when MS hung.
>
> ----------------------------------------------------------------------------------------------------------------------------------------------
> Dec  6 12:28:26 spamsnake MailScanner[4362]: New Batch: Scanning 1
> messages, 206434 bytes
> Dec  6 12:28:26 spamsnake MailScanner[4396]: MailScanner E-Mail Virus
> Scanner version 4.81.4 starting...
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file
> /opt/MailScanner/etc/MailScanner.conf
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file
> /opt/MailScanner/etc/conf.d/README
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Read 865 hostnames from the
> phishing whitelist
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Read 5278 hostnames from the
> phishing blacklists
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init
> function SQLBlacklist
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Blacklist
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Read 0 blacklist entries
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init
> function MailWatchLogging
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Started SQL Logging child
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init
> function SQLWhitelist
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Whitelist
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Read 0 whitelist entries
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Using SpamAssassin results
> cache
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Connected to SpamAssassin
> cache database
> Dec  6 12:28:26 spamsnake MailScanner[4396]: Enabling SpamAssassin
> auto-whitelist functionality...
> Dec  6 12:28:30 spamsnake MailScanner[4396]: Connected to Processing
> Attempts Database
> Dec  6 12:28:30 spamsnake MailScanner[4396]: Found 2 messages in the
> Processing Attempts Database
> Dec  6 12:28:30 spamsnake MailScanner[4396]: Using locktype = flock
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
> It will repeat several times until MS finally give up delivering that
> message.
>
> Also, when MS hung, I got the following error message in /var/log/messages
>
> -----------------------------------------------------------------------------------------------------------------------------
> Dec  6 12:28:26 spamsnake MailScanner: Process did not exit cleanly,
> returned 9 with signal 0
> Dec  6 12:32:21 spamsnake MailScanner: Process did not exit cleanly,
> returned 9 with signal 0
> Dec  6 12:36:12 spamsnake MailScanner: Process did not exit cleanly,
> returned 9 with signal 0
>
> -----------------------------------------------------------------------------------------------------------------------------
>
> and the output of ps command is:
>
> -----------------------------------------------------------------------------------------------------------------------------
> postfix   4322  0.0  3.4 105784 35580 ?        Ss   12:27   0:00
> MailScanner: starting child
> postfix   4323  1.0 10.0 223676 102832 ?       S    12:27   0:01
> MailScanner: waiting for messages
> postfix   4335  1.0 10.0 223620 102828 ?       S    12:27   0:01
> MailScanner: waiting for messages
> postfix   4344  1.0 10.0 223620 102828 ?       S    12:27   0:01
> MailScanner: waiting for messages
> postfix   4353  1.1 10.0 223676 102828 ?       S    12:27   0:01
> MailScanner: waiting for messages
> postfix   4396  2.1 10.0 223688 102844 ?       S    12:28   0:01
> MailScanner: waiting for messages
>
> -----------------------------------------------------------------------------------------------------------------------------
>
> and MailScanner --lint didn't show any error message.
>
> Because that .pages file contains sensitive information, I am sorry that
> couldn't upload it here.
>
> I run ths MS v 4.81.4 with spamassassin 3.3.1, clamav 0.96.3 on ubuntu
> 10.04 LTS version.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101206/c3b7f945/attachment.html

More information about the MailScanner mailing list