MailScanner crashing
Curu Wong
prinbra at gmail.com
Thu Dec 30 08:36:28 GMT 2010
I encounter such problem before. any Zip archive would cause my MailScanner
to crash. When I run ms in debug mode, I got this error:
====================================================
Insecure dependency in chmod while running with -T switch at
/usr/share/perl5/Archive/Zip/Member.pm line 490.
============================================================
This was due to a bug in the perl Arhive::Zip module. then I foud a
patch at https://rt.cpan.org/Public/Bug/Display.html?id=61930 .
, after applying that patch, the problem gone. Hope this information useful.
2010/12/30 Johnson, SE <sjohnson at edina.k12.mn.us>
> Ok, I disabled virus checking and I still have the issue. Any ZIP
> extension causes a crash. I was also told that .DOCX extensions cause
> the issue but I have no way of testing that...
>
> I would assume that numerous other people would be having this issue if
> it were a bug...
>
> Anyone have any ideas on what is going on with this?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 3:11 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> I FINALLY got it to fail (duplicate the issue) on demand.
>
> It seems to have to deal with .ZIP extensions and files that may have
> "double extensions" eg: studentlist.prn.pdf
>
> This is the reply message I get back from the mailscanner:
> Our virus detector failed to completely analyse a message you sent:-
> To: me at here.com
> Subject: test with a zip file
> Date: Wed Dec 29 14:55:32 2010
> Any parts of the message that could not be analysed will not have been
> delivered.
>
> If you are using Microsoft Outlook, we strongly recommend you change
> your outgoing message format from "Rich Text" to "HTML" or "Plain Text".
>
> 1) Click on the "Tools" menu and choose "Options..."
> 2) Go to the "Mail Format" tab
> 3) For message format, select "HTML" or "Plain text"
> 4) Click OK
>
> The virus detector said this about the message:
> Report: Report: MailScanner: Message attempted to kill MailScanner
>
> Is this my CLAMAV causing the issue?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 1:38 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Here's a copy of the whole maillog where the message is processed:
>
> Dec 29 13:23:18 mailfilter MailScanner[21060]: New Batch: Found 6
> messages waiting
>
> Dec 29 13:23:18 mailfilter MailScanner[21060]: New Batch: Scanning 1
> messages, 622326 bytes
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Sender Warnings:
> Delivered 1 warnings to virus senders
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Notices: Warned about 1
> messages
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Deleted 1 messages from
> processing-database
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Logging message
> 1B40140A9A.AEEAC to SQL
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: New Batch: Found 6
> messages waiting
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: New Batch: Scanning 1
> messages, 2120 bytes
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Virus and Content
> Scanning: Starting
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Requeue: 2196B40A9A.A4045
> to E75AE4115A
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Uninfected: Delivered 1
> messages
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Deleted 1 messages from
> processing-database
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Logging message
> 2196B40A9A.A4045 to SQL
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Warning: skipping message
> 1EB5340A9B.AF498 as it has been attempted too many times
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Quarantined message
> 1EB5340A9B.AF498 as it caused MailScanner to crash several times
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Saved entire message to
> /var/spool/MailScanner/quarantine/20101229/1EB5340A9B.AF498
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 1:30 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Oh, version 4.81.4
>
> Its running on Red Hat core 13 (on a VM server), processor is 1.76ghz
> 2gb ram and about 200gb HD space.
> [root at mailfilter ~]# MailScanner --version
> Running on
> Linux mailfilter 2.6.34.7-66.fc13.x86_64 #1 SMP Wed Dec 15 07:04:30 UTC
> 2010 x86_64 x86_64 x86_64 GNU/Linux
> This is Fedora release 13 (Goddard)
> This is Perl version 5.010001 (5.10.1)
>
> This is MailScanner version 4.81.4
> Module versions are:
> 1.00 AnyDBM_File
> 1.30 Archive::Zip
> 0.23 bignum
> 1.11 Carp
> 2.03 Compress::Zlib
> 1.119 Convert::BinHex
> 0.17 Convert::TNEF
> 2.124 Data::Dumper
> 2.30 Date::Parse
> 1.03 DirHandle
> 1.06 Fcntl
> 2.77 File::Basename
> 2.14 File::Copy
> 2.02 FileHandle
> 2.08 File::Path
> 0.22 File::Temp
> 0.92 Filesys::Df
> 3.68 HTML::Entities
> 3.68 HTML::Parser
> 3.57 HTML::TokeParser
> 1.25 IO
> 1.14 IO::File
> 1.13 IO::Pipe
> 2.06 Mail::Header
> 1.89 Math::BigInt
> 0.22 Math::BigRat
> 3.08 MIME::Base64
> 5.428 MIME::Decoder
> 5.428 MIME::Decoder::UU
> 5.428 MIME::Head
> 5.428 MIME::Parser
> 3.08 MIME::QuotedPrint
> 5.428 MIME::Tools
> 0.13 Net::CIDR
> 1.25 Net::IP
> 0.19 OLE::Storage_Lite
> 1.04 Pod::Escapes
> 3.07 Pod::Simple
> 1.17 POSIX
> 1.21 Scalar::Util
> 1.82 Socket
> 2.20 Storable
> 1.4 Sys::Hostname::Long
> 0.27 Sys::Syslog
> 1.44 Test::Pod
> 0.94 Test::Simple
> 1.9719 Time::HiRes
> 1.02 Time::localtime
>
> Optional module versions are:
> 1.62 Archive::Tar
> 0.23 bignum
> 2.05 Business::ISBN
> 20081208 Business::ISBN::Data
> 1.19 Data::Dump
> 1.82 DB_File
> 1.29 DBD::SQLite
> 1.609 DBI
> 1.16 Digest
> 1.02 Digest::HMAC
> 2.39 Digest::MD5
> 2.12 Digest::SHA1
> 1.01 Encode::Detect
> 0.17016 Error
> 0.2802 ExtUtils::CBuilder
> 2.2206 ExtUtils::ParseXS
> 2.38 Getopt::Long
> 0.46 Inline
> 1.08 IO::String
> 1.10 IO::Zlib
> 2.27 IP::Country
> 0.29 Mail::ClamAV
> 3.003001 Mail::SpamAssassin
> v2.006 Mail::SPF
> missing Mail::SPF::Query
> 0.3607 Module::Build
> 0.21 Net::CIDR::Lite
> 0.65 Net::DNS
> v0.003 Net::DNS::Resolver::Programmable
> 0.4001 Net::LDAP
> 4.027 NetAddr::IP
> 1.965001 Parse::RecDescent
> missing SAVI
> 3.17 Test::Harness
> 1.23 Test::Manifest
> 2.0.0 Text::Balanced
> 1.54 URI
> 0.82 version
> 0.72 YAML
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 12:14 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Update on that error...
>
> I let the
> MailScanner --debug ID=[messageid]
> run over night and it came back to a prompt with no errors. However,
> I'm not sure if the message was ultimately delivered.
>
> The crash is happening at the rate of about 2 / hour and the vast
> majority of messages are legitimate which is not good...
>
> Any ideas on what's going? I could really use some assistance on this
> problem...
>
> Oh one more thing I noticed. I'm not 100% sure if this is true on all
> messages stopped, but it appears that they are HTML emails around 35-50k
> in size.
>
> I took the body of one of those emails and sent it from my outside email
> account and it worked just fine.
>
> Thanks!
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Tuesday, December 28, 2010 3:58 PM
> To: mailscanner at lists.mailscanner.info
> Subject: MailScanner crashing
>
> I've seen a few posts out there but no one with my exact issue...
>
> Periodically I'm getting the message similar to this in my logs:
>
> Dec 28 13:27:30 mailfilter MailScanner[27222]: Making attempt 2 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:36:32 mailfilter MailScanner[27229]: Making attempt 3 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:41:45 mailfilter MailScanner[30951]: Making attempt 4 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:44:27 mailfilter MailScanner[31782]: Making attempt 5 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:51:32 mailfilter MailScanner[1250]: Making attempt 6 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Warning: skipping message
> 872F6416F2.ACB5B as it has been attempted too many times
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Quarantined message
> 872F6416F2.ACB5B as it caused MailScanner to crash several times
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Saved entire message to
> /var/spool/MailScanner/quarantine/20101228/872F6416F2.ACB5B
> Dec 28 13:52:36 mailfilter MailScanner[1290]: Logging message
> 872F6416F2.ACB5B to SQL
>
> I didn't think much of it at first until I realized in the MailWatch
> program that many of these messages were legitimate.
>
> I tried MailScanner --lint which came up clean
> spamassassin --lint is clean as well
>
> I then tried to reprocess one of the messages in the queue with:
> MailScanner --debug --ID=[messageid]
> (while I was in the quarantine dir)
>
> The program starts to process it I got
>
> In Debugging mode, not forking...
> Trying to setlogsock(unix)
> Building a message batch to scan...
>
> But it never seems to go past this... I let it sit for over an hour and
> it never came back...
>
> I then found a reference to debug-sa... I ran MailScanner --debug
> --debug-sa and got:
> 15:54:34 Building a message batch to scan...
> (long pause)
> Then I get the final output with no issues being reported.
>
> Does anyone know what I can do to find my issue?
> Thanks!
> Scott
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101230/866b1814/attachment.html
More information about the MailScanner
mailing list