MailScanner crashing

Curu Wong prinbra at gmail.com
Thu Dec 30 08:36:28 GMT 2010


I encounter such problem before. any Zip archive would cause my MailScanner
to crash. When I run ms  in debug mode, I got this error:
====================================================

Insecure dependency in chmod while running with -T switch at
/usr/share/perl5/Archive/Zip/Member.pm line 490.
============================================================

This was due to a bug in the perl Arhive::Zip module. then I foud a
patch at https://rt.cpan.org/Public/Bug/Display.html?id=61930 .
, after applying that patch, the problem gone. Hope this information useful.

2010/12/30 Johnson, SE <sjohnson at edina.k12.mn.us>

> Ok, I disabled virus checking and I still have the issue.  Any ZIP
> extension causes a crash.  I was also told that .DOCX extensions cause
> the issue but I have no way of testing that...
>
> I would assume that numerous other people would be having this issue if
> it were a bug...
>
> Anyone have any ideas on what is going on with this?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 3:11 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> I FINALLY got it to fail (duplicate the issue) on demand.
>
> It seems to have to deal with .ZIP extensions and files that may have
> "double extensions" eg: studentlist.prn.pdf
>
> This is the reply message I get back from the mailscanner:
> Our virus detector failed to completely analyse a message you sent:-
>  To: me at here.com
>  Subject: test with a zip file
>  Date: Wed Dec 29 14:55:32 2010
> Any parts of the message that could not be analysed will not have been
> delivered.
>
> If you are using Microsoft Outlook, we strongly recommend you change
> your outgoing message format from "Rich Text" to "HTML" or "Plain Text".
>
> 1) Click on the "Tools" menu and choose "Options..."
> 2) Go to the "Mail Format" tab
> 3) For message format, select "HTML" or "Plain text"
> 4) Click OK
>
> The virus detector said this about the message:
> Report: Report: MailScanner: Message attempted to kill MailScanner
>
> Is this my CLAMAV causing the issue?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 1:38 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Here's a copy of the whole maillog where the message is processed:
>
> Dec 29 13:23:18 mailfilter MailScanner[21060]: New Batch: Found 6
> messages waiting
>
> Dec 29 13:23:18 mailfilter MailScanner[21060]: New Batch: Scanning 1
> messages, 622326 bytes
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Sender Warnings:
> Delivered 1 warnings to virus senders
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Notices: Warned about 1
> messages
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Deleted 1 messages from
> processing-database
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Logging message
> 1B40140A9A.AEEAC to SQL
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: New Batch: Found 6
> messages waiting
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: New Batch: Scanning 1
> messages, 2120 bytes
>
> Dec 29 13:23:19 mailfilter MailScanner[21060]: Virus and Content
> Scanning: Starting
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Requeue: 2196B40A9A.A4045
> to E75AE4115A
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Uninfected: Delivered 1
> messages
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Deleted 1 messages from
> processing-database
>
> Dec 29 13:23:20 mailfilter MailScanner[21060]: Logging message
> 2196B40A9A.A4045 to SQL
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Warning: skipping message
> 1EB5340A9B.AF498 as it has been attempted too many times
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Quarantined message
> 1EB5340A9B.AF498 as it caused MailScanner to crash several times
>
> Dec 29 13:23:32 mailfilter MailScanner[21060]: Saved entire message to
> /var/spool/MailScanner/quarantine/20101229/1EB5340A9B.AF498
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 1:30 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Oh, version 4.81.4
>
> Its running on Red Hat core 13 (on a VM server), processor is 1.76ghz
> 2gb ram and about 200gb HD space.
> [root at mailfilter ~]# MailScanner --version
> Running on
> Linux mailfilter 2.6.34.7-66.fc13.x86_64 #1 SMP Wed Dec 15 07:04:30 UTC
> 2010 x86_64 x86_64 x86_64 GNU/Linux
> This is Fedora release 13 (Goddard)
> This is Perl version 5.010001 (5.10.1)
>
> This is MailScanner version 4.81.4
> Module versions are:
> 1.00    AnyDBM_File
> 1.30    Archive::Zip
> 0.23    bignum
> 1.11    Carp
> 2.03    Compress::Zlib
> 1.119   Convert::BinHex
> 0.17    Convert::TNEF
> 2.124   Data::Dumper
> 2.30    Date::Parse
> 1.03    DirHandle
> 1.06    Fcntl
> 2.77    File::Basename
> 2.14    File::Copy
> 2.02    FileHandle
> 2.08    File::Path
> 0.22    File::Temp
> 0.92    Filesys::Df
> 3.68    HTML::Entities
> 3.68    HTML::Parser
> 3.57    HTML::TokeParser
> 1.25    IO
> 1.14    IO::File
> 1.13    IO::Pipe
> 2.06    Mail::Header
> 1.89    Math::BigInt
> 0.22    Math::BigRat
> 3.08    MIME::Base64
> 5.428   MIME::Decoder
> 5.428   MIME::Decoder::UU
> 5.428   MIME::Head
> 5.428   MIME::Parser
> 3.08    MIME::QuotedPrint
> 5.428   MIME::Tools
> 0.13    Net::CIDR
> 1.25    Net::IP
> 0.19    OLE::Storage_Lite
> 1.04    Pod::Escapes
> 3.07    Pod::Simple
> 1.17    POSIX
> 1.21    Scalar::Util
> 1.82    Socket
> 2.20    Storable
> 1.4     Sys::Hostname::Long
> 0.27    Sys::Syslog
> 1.44    Test::Pod
> 0.94    Test::Simple
> 1.9719  Time::HiRes
> 1.02    Time::localtime
>
> Optional module versions are:
> 1.62    Archive::Tar
> 0.23    bignum
> 2.05    Business::ISBN
> 20081208        Business::ISBN::Data
> 1.19    Data::Dump
> 1.82    DB_File
> 1.29    DBD::SQLite
> 1.609   DBI
> 1.16    Digest
> 1.02    Digest::HMAC
> 2.39    Digest::MD5
> 2.12    Digest::SHA1
> 1.01    Encode::Detect
> 0.17016 Error
> 0.2802  ExtUtils::CBuilder
> 2.2206  ExtUtils::ParseXS
> 2.38    Getopt::Long
> 0.46    Inline
> 1.08    IO::String
> 1.10    IO::Zlib
> 2.27    IP::Country
> 0.29    Mail::ClamAV
> 3.003001        Mail::SpamAssassin
> v2.006  Mail::SPF
> missing Mail::SPF::Query
> 0.3607  Module::Build
> 0.21    Net::CIDR::Lite
> 0.65    Net::DNS
> v0.003  Net::DNS::Resolver::Programmable
> 0.4001  Net::LDAP
>  4.027  NetAddr::IP
> 1.965001        Parse::RecDescent
> missing SAVI
> 3.17    Test::Harness
> 1.23    Test::Manifest
> 2.0.0   Text::Balanced
> 1.54    URI
> 0.82    version
> 0.72    YAML
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Wednesday, December 29, 2010 12:14 PM
> To: MailScanner discussion
> Subject: RE: MailScanner crashing
>
> Update on that error...
>
> I let the
>  MailScanner --debug ID=[messageid]
> run over night and it came back to a prompt with no errors.  However,
> I'm not sure if the message was ultimately delivered.
>
> The crash is happening at the rate of about 2 / hour and the vast
> majority of messages are legitimate which is not good...
>
> Any ideas on what's going?  I could really use some assistance on this
> problem...
>
> Oh one more thing I noticed.  I'm not 100% sure if this is true on all
> messages stopped, but it appears that they are HTML emails around 35-50k
> in size.
>
> I took the body of one of those emails and sent it from my outside email
> account and it worked just fine.
>
> Thanks!
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Johnson, SE
> Sent: Tuesday, December 28, 2010 3:58 PM
> To: mailscanner at lists.mailscanner.info
> Subject: MailScanner crashing
>
> I've seen a few posts out there but no one with my exact issue...
>
> Periodically I'm getting the message similar to this in my logs:
>
> Dec 28 13:27:30 mailfilter MailScanner[27222]: Making attempt 2 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:36:32 mailfilter MailScanner[27229]: Making attempt 3 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:41:45 mailfilter MailScanner[30951]: Making attempt 4 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:44:27 mailfilter MailScanner[31782]: Making attempt 5 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:51:32 mailfilter MailScanner[1250]: Making attempt 6 at
> processing message 872F6416F2.ACB5B
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Warning: skipping message
> 872F6416F2.ACB5B as it has been attempted too many times
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Quarantined message
> 872F6416F2.ACB5B as it caused MailScanner to crash several times
> Dec 28 13:51:39 mailfilter MailScanner[1290]: Saved entire message to
> /var/spool/MailScanner/quarantine/20101228/872F6416F2.ACB5B
> Dec 28 13:52:36 mailfilter MailScanner[1290]: Logging message
> 872F6416F2.ACB5B to SQL
>
> I didn't think much of it at first until I realized in the MailWatch
> program that many of these messages were legitimate.
>
> I tried MailScanner --lint which came up clean
> spamassassin --lint is clean as well
>
> I then tried to reprocess one of the messages in the queue with:
> MailScanner --debug --ID=[messageid]
> (while I was in the quarantine dir)
>
> The program starts to process it I got
>
> In Debugging mode, not forking...
> Trying to setlogsock(unix)
> Building a message batch to scan...
>
> But it never seems to go past this... I let it sit for over an hour and
> it never came back...
>
> I then found a reference to debug-sa... I ran MailScanner --debug
> --debug-sa and got:
> 15:54:34 Building a message batch to scan...
> (long pause)
> Then I get the final output with no issues being reported.
>
> Does anyone know what I can do to find my issue?
> Thanks!
>  Scott
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101230/866b1814/attachment.html


More information about the MailScanner mailing list