Potential incompatibility between MailScanner and avg8
Eliott
eliott100 at gmail.com
Tue Jan 26 13:39:23 GMT 2010
sorry, it took a while, I wan't in.
Same output bothways
[root at localhost ~]# env - /usr/sbin/check_mailscanner
MailScanner running with pid 4720 19671 19673
How can it be terminal related?
regards
Eliott
Date: Fri, 22 Jan 2010 14:33:11 +0000
> From: Julian Field
> That looks like a terminal type problem. What happens if you do
> env - /usr/sbin/check_mailscanner
> instead of just
> /usr/sbin/check_mailscanner
> ?
>
>
> On 22/01/2010 12:50, Eliott wrote:
> > Hi!
> >
> > we are about to migrate an old imlementation while upgrading all the
> > components and came across a strange problem.
> > With MailScanner 4.78.17 and avg 8.5.288 we see the following log
> > entries:
> > --------------
> > Jan 18 15:47:23 localhost MailScanner[4725]: New Batch: Scanning 1
> > messages, 1338 bytes
> > Jan 18 15:47:23 localhost MailScanner[4725]: Virus and Content
> > Scanning: Starting
> > Jan 18 15:47:23 localhost MailScanner[4725]: Avg: Virus identified
> > EICAR_Test in eicar.txt
> > Jan 18 15:47:23 localhost MailScanner[4725]: Virus Scanning: Avg found
> > 1 infections
> > Jan 18 15:47:23 localhost MailScanner[4725]: Infected message
> > ESC[2Ko0IElNL7004734 came from
> > Jan 18 15:47:23 localhost MailScanner[4725]: Virus Scanning: Found 1
> > viruses
> > Jan 18 15:47:24 localhost MailScanner[4725]: Uninfected: Delivered 1
> > messages
> > Jan 18 15:47:24 localhost MailScanner[4725]: Deleted 1 messages from
> > processing-database
> > smtp2225, pri=120812, relay=[10.0.20.10] [10.0.20.10], dsn=2.0.0,
> > stat=Sent (Message accepted for delivery)
> > ---------------
> > I have checked SweepVisuses.pm, but there the output seems to be
> > parsed well. Is this a configuration issue or a bug?
> >
> > Thanks and regards
> > Eliott
> >
> >
> >
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 22 Jan 2010 18:17:14 +0200
> From: Lyndon Labuschagne <lyndonl at mexcom.co.za>
> Subject: MailScanner: Message attempted to kill MailScanner
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Message-ID: <FFDBCBA6-2A7D-422D-AD3A-4693840BFB4F at mexcom.co.za>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello All
>
> I hope you can shed some light on the below issue
>
> This is a new install of MailScanner 4.79.5
> FreeBSD 8.0 amd64
> postfix-2.6.5,1
> p5-Mail-SpamAssassin-3.2.5_4
> clamav-0.95.3
>
> All the effected mails seem to have attachments, mail sizes vary most are
> over 200kb but some are only 80kb
> most seem to be word docs both .doc and .docx
> I have turned off OLE scans to see if that was a part of the problem
>
> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)
>
> Max Spam Check Size = 40k
> Max SpamAssassin Size = 40k
> Max Custom Spam Scanner Size = 40k
>
>
>
> the Server is a Xeon 2Ghz quad core 4 GB RAM
> it averages about 95% idle with about 2.5GB free RAM although when clamscan
> is running it might drop down to about 80% idle
>
> I can turn on the debug option but its not every mail that has this issue
> its probably 1 out of every 100 to 150 messages. so it might take some time
> to trigger the problem
>
> the below message was 333.6kb
>
> >From MailWatch interface:
>
> Subject: removed to protect the innocent
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"
> Date: Fri, 22 Jan 2010 16:58:08 +0200
> Message-ID: <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>
> Content-class: urn:content-classes:message
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: removed to protect the innocent
> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=
> X-Priority: 1
> Priority: Urgent
> Importance: high
>
> >From maillog
>
> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:
> message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>
> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing
> message EC4A71761FFF.00000
> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing
> message EC4A71761FFF.00000
> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing
> message EC4A71761FFF.00000
> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing
> message EC4A71761FFF.00000
> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing
> message EC4A71761FFF.00000
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message
> EC4A71761FFF.00000 as it has been attempted too many times
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message
> EC4A71761FFF.00000 as it caused MailScanner to crash several times
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to
> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message
> EC4A71761FFF.00000 to SQL
>
> Regards,
>
> Lyndon
>
>
>
> --
> This message has been scanned for viruses and dangerous content by the
> Mexcom MailScanner, and appears to be clean.
> Should you wish to secure your mail, call sales @ 011-801-4000,
> alternatively visit
> http://www.mexcom.co.za or mail sales at mexcom.co.za
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/d892d3e8/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Fri, 22 Jan 2010 11:17:56 -0500
> From: "Garrod M. Alwood" <Garrod.Alwood at lorodoes.com>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Message-ID: <7053E9FE-18A9-47D9-B2E5-F3402AE74F99 at lorodoes.com>
> Content-Type: text/plain; charset="utf-8"
>
> You need to get an update, I had the same problem
>
> Garrod Alwood
> Open Source Consultant
> 9047384988
> Garrod.alwood at lorodoes.com<mailto:Garrod.alwood at lorodoes.com>
> Sent from my iPod
>
> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne" <lyndonl at mexcom.co.za
> <mailto:lyndonl at mexcom.co.za>> wrote:
>
> Hello All
>
> I hope you can shed some light on the below issue
>
> This is a new install of MailScanner 4.79.5
> FreeBSD 8.0 amd64
> postfix-2.6.5,1
> p5-Mail-SpamAssassin-3.2.5_4
> clamav-0.95.3
>
> All the effected mails seem to have attachments, mail sizes vary most are
> over 200kb but some are only 80kb
> most seem to be word docs both .doc and .docx
> I have turned off OLE scans to see if that was a part of the problem
>
> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)
>
> Max Spam Check Size = 40k
> Max SpamAssassin Size = 40k
> Max Custom Spam Scanner Size = 40k
>
>
>
> the Server is a Xeon 2Ghz quad core 4 GB RAM
> it averages about 95% idle with about 2.5GB free RAM although when clamscan
> is running it might drop down to about 80% idle
>
> I can turn on the debug option but its not every mail that has this issue
> its probably 1 out of every 100 to 150 messages. so it might take some time
> to trigger the problem
>
> the below message was 333.6kb
>
> >From MailWatch interface:
>
> Subject: removed to protect the innocent
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"
> Date: Fri, 22 Jan 2010 16:58:08 +0200
> Message-ID: <<mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> >B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local<mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> Content-class: urn:content-classes:message
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: removed to protect the innocent
> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=
> X-Priority: 1
> Priority: Urgent
> Importance: high
>
> >From maillog
>
> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:
> message-id=<<mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> >B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local<mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing
> message EC4A71761FFF.00000
> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing
> message EC4A71761FFF.00000
> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing
> message EC4A71761FFF.00000
> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing
> message EC4A71761FFF.00000
> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing
> message EC4A71761FFF.00000
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message
> EC4A71761FFF.00000 as it has been attempted too many times
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message
> EC4A71761FFF.00000 as it caused MailScanner to crash several times
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to
> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000
> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message
> EC4A71761FFF.00000 to SQL
>
> Regards,
>
> Lyndon
>
>
>
> --
> This message has been scanned for viruses and dangerous content by the
> Mexcom MailScanner, and appears to be clean.
> Should you wish to secure your mail, call sales @ 011-801-4000,
> alternatively visit
> http://www.mexcom.co.za or mail sales at mexcom.co.za<mailto:
> sales at mexcom.co.za>
> <ATT00001..txt>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/b9ad1cb4/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Fri, 22 Jan 2010 16:50:13 -0000
> From: "PD Support" <support-lists at petdoctors.co.uk>
> Subject: RE: MailScanner: Message attempted to kill MailScanner
> To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
> Message-ID: <016201ca9b82$f834bce0$e89e36a0$@co.uk>
> Content-Type: text/plain; charset="us-ascii"
>
> Also check folder permissions and that required folders exist - one recent
> install didn't make them all for me (I suspect this was a glitch in the
> SpamAssassin install rather than MailScanner).
>
>
>
> I also had this a while back on a server where the disk was full, although
> I
> expect this isn't your problem.
>
>
>
> NK
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/aa54812a/attachment-0001.html
>
> ------------------------------
>
> Message: 7
> Date: Fri, 22 Jan 2010 16:51:03 +0000
> From: Julian Field <MailScanner at ecs.soton.ac.uk>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Message-ID:
> <EMEW3|a8a247e6c07fa539be9a157e5b9cc27bm0LGp70bMailScanner|
> ecs.soton.ac.uk|4B59D777.5040600 at ecs.soton.ac.uk>
>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Yes, just install the latest version available on the website.
>
> On 22/01/2010 16:17, Garrod M. Alwood wrote:
> > You need to get an update, I had the same problem
> >
> > Garrod Alwood
> > Open Source Consultant
> > 9047384988
> > Garrod.alwood at lorodoes.com <mailto:Garrod.alwood at lorodoes.com>
> > Sent from my iPod
> >
> > On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne"
> > <lyndonl at mexcom.co.za <mailto:lyndonl at mexcom.co.za>> wrote:
> >
> >> Hello All
> >>
> >> I hope you can shed some light on the below issue
> >>
> >> This is a new install of MailScanner 4.79.5
> >> FreeBSD 8.0 amd64
> >> postfix-2.6.5,1
> >> p5-Mail-SpamAssassin-3.2.5_4
> >> clamav-0.95.3
> >>
> >> All the effected mails seem to have attachments, mail sizes vary most
> >> are over 200kb but some are only 80kb
> >> most seem to be word docs both .doc and .docx
> >> I have turned off OLE scans to see if that was a part of the problem
> >>
> >> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)
> >>
> >> Max Spam Check Size = 40k
> >> Max SpamAssassin Size = 40k
> >> Max Custom Spam Scanner Size = 40k
> >>
> >>
> >>
> >> the Server is a Xeon 2Ghz quad core 4 GB RAM
> >> it averages about 95% idle with about 2.5GB free RAM although when
> >> clamscan is running it might drop down to about 80% idle
> >>
> >> I can turn on the debug option but its not every mail that has this
> >> issue its probably 1 out of every 100 to 150 messages. so it might
> >> take some time to trigger the problem
> >>
> >> the below message was 333.6kb
> >>
> >> From MailWatch interface:
> >>
> >> Subject: /removed to protect the innocent/
> >> MIME-Version: 1.0
> >> Content-Type: multipart/mixed;
> >> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"
> >> Date: Fri, 22 Jan 2010 16:58:08 +0200
> >> Message-ID:
> >> <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> >> <mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >> Content-class: urn:content-classes:message
> >> X-MimeOLE: Produced By Microsoft Exchange V6.5
> >> X-MS-Has-Attach:
> >> X-MS-TNEF-Correlator:
> >> Thread-Topic: removed to protect the innocent
> >> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=
> >> X-Priority: 1
> >> Priority: Urgent
> >> Importance: high
> >>
> >> From maillog
> >>
> >> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:
> >> message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> >> <mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at
> >> processing message EC4A71761FFF.00000
> >> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at
> >> processing message EC4A71761FFF.00000
> >> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at
> >> processing message EC4A71761FFF.00000
> >> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at
> >> processing message EC4A71761FFF.00000
> >> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at
> >> processing message EC4A71761FFF.00000
> >> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping
> >> message EC4A71761FFF.00000 as it has been attempted too many times
> >> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message
> >> EC4A71761FFF.00000 as it caused MailScanner to crash several times
> >> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to
> >> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000
> >> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message
> >> EC4A71761FFF.00000 to SQL
> >>
> >> Regards,
> >>
> >> Lyndon
> >>
> >>
> >>
> >> --
> >> This message has been scanned for viruses and dangerous content by the
> >> *Mexcom MailScanner*, and appears to be clean.
> >> Should you wish to secure your mail, call sales @ 011-801-4000,
> >> alternatively visit
> >> http://www.mexcom.co.za or mail sales at mexcom.co.za
> >> <mailto:sales at mexcom.co.za>
> >> <ATT00001..txt>
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 22 Jan 2010 19:41:38 +0200
> From: Lyndon Labuschagne <lyndonl at mexcom.co.za>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Message-ID: <614069FF-2788-4FDA-9E4D-870A5282B297 at mexcom.co.za>
> Content-Type: text/plain; charset=us-ascii
>
> Ok cool thanks all
>
> I will try that on monday, if the gods smile on my there might be an
> updated BSD port :) not that im holding my breath
>
>
> On 22 Jan 2010, at 6:51 PM, Julian Field wrote:
>
> > Yes, just install the latest version available on the website.
> >
> > On 22/01/2010 16:17, Garrod M. Alwood wrote:
> >> You need to get an update, I had the same problem
> >>
> >> Garrod Alwood
> >> Open Source Consultant
> >> 9047384988
> >> Garrod.alwood at lorodoes.com <mailto:Garrod.alwood at lorodoes.com>
> >> Sent from my iPod
> >>
> >> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne" <
> lyndonl at mexcom.co.za <mailto:lyndonl at mexcom.co.za>> wrote:
> >>
> >>> Hello All
> >>>
> >>> I hope you can shed some light on the below issue
> >>>
> >>> This is a new install of MailScanner 4.79.5
> >>> FreeBSD 8.0 amd64
> >>> postfix-2.6.5,1
> >>> p5-Mail-SpamAssassin-3.2.5_4
> >>> clamav-0.95.3
> >>>
> >>> All the effected mails seem to have attachments, mail sizes vary most
> are over 200kb but some are only 80kb
> >>> most seem to be word docs both .doc and .docx
> >>> I have turned off OLE scans to see if that was a part of the problem
> >>>
> >>> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)
> >>>
> >>> Max Spam Check Size = 40k
> >>> Max SpamAssassin Size = 40k
> >>> Max Custom Spam Scanner Size = 40k
> >>>
> >>>
> >>>
> >>> the Server is a Xeon 2Ghz quad core 4 GB RAM
> >>> it averages about 95% idle with about 2.5GB free RAM although when
> clamscan is running it might drop down to about 80% idle
> >>>
> >>> I can turn on the debug option but its not every mail that has this
> issue its probably 1 out of every 100 to 150 messages. so it might take some
> time to trigger the problem
> >>>
> >>> the below message was 333.6kb
> >>>
> >>> From MailWatch interface:
> >>>
> >>> Subject: /removed to protect the innocent/
> >>> MIME-Version: 1.0
> >>> Content-Type: multipart/mixed;
> >>> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"
> >>> Date: Fri, 22 Jan 2010 16:58:08 +0200
> >>> Message-ID:
> <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local <mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >>> Content-class: urn:content-classes:message
> >>> X-MimeOLE: Produced By Microsoft Exchange V6.5
> >>> X-MS-Has-Attach:
> >>> X-MS-TNEF-Correlator:
> >>> Thread-Topic: removed to protect the innocent
> >>> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=
> >>> X-Priority: 1
> >>> Priority: Urgent
> >>> Importance: high
> >>>
> >>> From maillog
> >>>
> >>> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:
> message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local<mailto:
> B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >>> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at
> processing message EC4A71761FFF.00000
> >>> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at
> processing message EC4A71761FFF.00000
> >>> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at
> processing message EC4A71761FFF.00000
> >>> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at
> processing message EC4A71761FFF.00000
> >>> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at
> processing message EC4A71761FFF.00000
> >>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message
> EC4A71761FFF.00000 as it has been attempted too many times
> >>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message
> EC4A71761FFF.00000 as it caused MailScanner to crash several times
> >>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to
> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000
> >>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message
> EC4A71761FFF.00000 to SQL
> >>>
> >>> Regards,
> >>>
> >>> Lyndon
> >>>
> >>>
> >>>
> >>> --
> >>> This message has been scanned for viruses and dangerous content by the
> >>> *Mexcom MailScanner*, and appears to be clean.
> >>> Should you wish to secure your mail, call sales @ 011-801-4000,
> alternatively visit
> >>> http://www.mexcom.co.za or mail sales at mexcom.co.za <mailto:
> sales at mexcom.co.za>
> >>> <ATT00001..txt>
> >
> > Jules
> >
> > --
> > Julian Field MEng CITP CEng
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > Need help customising MailScanner?
> > Contact me!
> > Need help fixing or optimising your systems?
> > Contact me!
> > Need help getting you started solving new requirements from your boss?
> > Contact me!
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 22 Jan 2010 12:58:27 -0500
> From: Mike Wallace <mike at mlrw.com>
> Subject: Infected Messages Not Being Spam Checked
> To: mailscanner at lists.mailscanner.info
> Message-ID: <2C4D53D7-096E-4BC1-A863-DD80E5A8E91A at mlrw.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I am having a problem with Virus infected messages not being spam checked
> and getting delivered to users.
>
> My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin
> 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1
> from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following
> additional spamassassin rules; Sought, OpenProtect and a couple of custom
> ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a
> special mailbox. Anything >10.0 are deleted. This works great as I have a
> false positive rate of 0.16% and a false negative rate of 0.87% (if I
> exclude the viruses that passed). None of the false positives are high
> scoring spam >10.0.
>
> Here is an example of a message that was not spam checked:
>
> Return-Path: improvesx66 at wires.tv
> Received: from mailserver.mlrw.com (LHLO mailserver.mlrw.com) by
> mailserver.mlrw.com with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mailserver.mlrw.com (Postfix) with ESMTP id 455AC1448859
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
> X-Virus-Scanned: amavisd-new at mlrw.com
> Received: from gateway.mlrw.com
> by mailserver.mlrw.com (Postfix) with ESMTP id ECE031448858
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
> Received: from mx1.mailhop.org (mxout-144-iad.mailhop.org[216.146.32.144])
> by mlrw.com (Postfix) with ESMTP id 3E1FA2A00C4
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
> Received: from noblet1.lnk.telstra.net (noblet1.lnk.telstra.net[165.228.74.75])
> by mx1.mailhop.org (Postfix) with ESMTP id CA691833D0B
> for <user at mlrw.com>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)
> Received: from 165.228.74.75 by mailstore1.secureserver.net; Fri, 22 Jan
> 2010 08:50:57 +1000
> Date: Fri, 22 Jan 2010 08:50:57 +1000
> From: "DHL Manager Keven Allen" <shipping at dhl.com>
> X-Mailer: The Bat! (v3.51.10) Professional
> Reply-To: improvesx66 at wires.tv
> X-Priority: 3 (Normal)
> Message-ID: <256744380.35200801834064 at wires.tv>
> To: user at mlrw.com
> Subject: {VIRUS?} DHL Delivery Problem Number 81419.
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----------4B369E401538E9"
> X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25
> X-MLRW-MailScanner-VirusCheck: Message was found to be infected
> X-MLRW-MailScanner-SpamCheck:
> X-MLRW-MailScanner-From: improvesx66 at wires.tv
>
>
> ------------4B369E401538E9
> Content-Type: text/plain; charset=Windows-1252
> Content-Transfer-Encoding: 7bit
>
> Dear customer!
>
> The courier company was not able to deliver your parcel by your address.
> Cause: Error in shipping address.
>
> You may pickup the parcel at our post office personaly!
>
> Attention!
> The shipping label is attached to this e-mail.
> Please print this label to get this package at our post office.
>
>
> Please do not reply to this e-mail, it is an unmonitored mailbox!
>
>
>
> Thank you.
> DHL Delivery Services.
>
>
>
>
> ------------4B369E401538E9
> Content-Type: application/zip; name="DHL_Label_NR06283.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"
>
> In the logs for clamd I see the following for that attachment:
> DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND
>
> If I run spamassassin against a quarantined copy of the message here is
> it's score:
>
> Content analysis details: (23.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.7 SARE_RECV_IP_FROMIP3 Received line is IP address
> from IP address
> 3.0 RCVD_IN_XBL RBL:
> Received via a relay in Spamhaus XBL
>
> [165.228.74.75 listed in zen.spamhaus.org]
> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> bl.spamcop.net
>
> [Blocked - see <http://www.spamcop.net/bl.shtml?165.228.74.75>]
> 1.0 BAYES_60 BODY:
> Bayesian spam probability is 60 to 80%
>
> [score: 0.6792]
> 0.5 RAZOR2_CHECK Listed in Razor2 (
> http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>
> above 50%
>
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
> 50%
>
> [cf: 100]
> 3.7 PYZOR_CHECK Listed in Pyzor (
> http://pyzor.sf.net/)
> 2.2 DCC_CHECK Listed in
> DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.0 DIGEST_MULTIPLE Message hits more
> than one network digest check
> 4.0 JM_SOUGHT_1 Body contains
> frequently-spammed text patterns
> 4.0 JM_SOUGHT_2 Body contains
> frequently-spammed text patterns
>
> As you can see it's greater than 10.0 which means it would have been
> deleted.
>
> Can anyone help me? I need to get these type of messages spam checked.
>
> Thanks.
>
> Mike
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/a5ad4289/attachment-0001.html
>
> ------------------------------
>
> Message: 10
> Date: Fri, 22 Jan 2010 21:12:21 +0100
> From: Kai Schaetzl <maillists at conactive.com>
> Subject: Re: Infected Messages Not Being Spam Checked
> To: mailscanner at lists.mailscanner.info
> Message-ID: <VA.00003996.017f50d8 at news.conactive.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Mike Wallace wrote on Fri, 22 Jan 2010 12:58:27 -0500:
>
> > I am having a problem
>
> with pressing the correct button in your email program. Please hit "new
> message" when you send a new question and not "reply"! Thanks.
>
> > with Virus infected messages not being spam
> > checked and getting delivered to users.
>
> Virusscan is done before spamcheck. If you get viruses delivered that
> means you have either disabled virusscanning or have changed the default
> value so that messages with viruses get delivered. Both doesn't make
> sense.
>
> > I need to get these type of messages spam checked.
>
> No, you have to stop delivering viruses. That, I told you already 10 days
> ago. In case that is not what you do, maybe you should have answered
> Julian's questions.
>
> Kai
>
> --
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 22 Jan 2010 21:37:54 +0000
> From: mog <lists at elasticmind.net>
> Subject: Re: MailScanner: Message attempted to kill MailScanner
> To: mailscanner at lists.mailscanner.info
> Message-ID: <4B5A1AB2.2090204 at elasticmind.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Mike (the guy who's been looking after the port) has been working on the
> problem. I'm sure he will update the port as soon as he has time.
>
>
> On 22/01/2010 17:41, Lyndon Labuschagne wrote:
> > Ok cool thanks all
> >
> > I will try that on monday, if the gods smile on my there might be an
> updated BSD port :) not that im holding my breath
> >
> >
> > On 22 Jan 2010, at 6:51 PM, Julian Field wrote:
> >
> >
> >> Yes, just install the latest version available on the website.
> >>
> >> On 22/01/2010 16:17, Garrod M. Alwood wrote:
> >>
> >>> You need to get an update, I had the same problem
> >>>
> >>> Garrod Alwood
> >>> Open Source Consultant
> >>> 9047384988
> >>> Garrod.alwood at lorodoes.com<mailto:Garrod.alwood at lorodoes.com>
> >>> Sent from my iPod
> >>>
> >>> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne"<
> lyndonl at mexcom.co.za<mailto:lyndonl at mexcom.co.za>> wrote:
> >>>
> >>>
> >>>> Hello All
> >>>>
> >>>> I hope you can shed some light on the below issue
> >>>>
> >>>> This is a new install of MailScanner 4.79.5
> >>>> FreeBSD 8.0 amd64
> >>>> postfix-2.6.5,1
> >>>> p5-Mail-SpamAssassin-3.2.5_4
> >>>> clamav-0.95.3
> >>>>
> >>>> All the effected mails seem to have attachments, mail sizes vary most
> are over 200kb but some are only 80kb
> >>>> most seem to be word docs both .doc and .docx
> >>>> I have turned off OLE scans to see if that was a part of the problem
> >>>>
> >>>> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)
> >>>>
> >>>> Max Spam Check Size = 40k
> >>>> Max SpamAssassin Size = 40k
> >>>> Max Custom Spam Scanner Size = 40k
> >>>>
> >>>>
> >>>>
> >>>> the Server is a Xeon 2Ghz quad core 4 GB RAM
> >>>> it averages about 95% idle with about 2.5GB free RAM although when
> clamscan is running it might drop down to about 80% idle
> >>>>
> >>>> I can turn on the debug option but its not every mail that has this
> issue its probably 1 out of every 100 to 150 messages. so it might take some
> time to trigger the problem
> >>>>
> >>>> the below message was 333.6kb
> >>>>
> >>>> From MailWatch interface:
> >>>>
> >>>> Subject: /removed to protect the innocent/
> >>>> MIME-Version: 1.0
> >>>> Content-Type: multipart/mixed;
> >>>> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"
> >>>> Date: Fri, 22 Jan 2010 16:58:08 +0200
> >>>>
> Message-ID:<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> <mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >>>> Content-class: urn:content-classes:message
> >>>> X-MimeOLE: Produced By Microsoft Exchange V6.5
> >>>> X-MS-Has-Attach:
> >>>> X-MS-TNEF-Correlator:
> >>>> Thread-Topic: removed to protect the innocent
> >>>> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=
> >>>> X-Priority: 1
> >>>> Priority: Urgent
> >>>> Importance: high
> >>>>
> >>>> From maillog
> >>>>
> >>>> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:
> message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local
> <mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD at server.Hi-tech.local>>
> >>>> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at
> processing message EC4A71761FFF.00000
> >>>> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at
> processing message EC4A71761FFF.00000
> >>>> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at
> processing message EC4A71761FFF.00000
> >>>> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at
> processing message EC4A71761FFF.00000
> >>>> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at
> processing message EC4A71761FFF.00000
> >>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message
> EC4A71761FFF.00000 as it has been attempted too many times
> >>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message
> EC4A71761FFF.00000 as it caused MailScanner to crash several times
> >>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to
> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000
> >>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message
> EC4A71761FFF.00000 to SQL
> >>>>
> >>>> Regards,
> >>>>
> >>>> Lyndon
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> This message has been scanned for viruses and dangerous content by the
> >>>> *Mexcom MailScanner*, and appears to be clean.
> >>>> Should you wish to secure your mail, call sales @ 011-801-4000,
> alternatively visit
> >>>> http://www.mexcom.co.za or mail sales at mexcom.co.za<mailto:
> sales at mexcom.co.za>
> >>>> <ATT00001..txt>
> >>>>
> >> Jules
> >>
> >> --
> >> Julian Field MEng CITP CEng
> >> www.MailScanner.info
> >> Buy the MailScanner book at www.MailScanner.info/store
> >>
> >> Need help customising MailScanner?
> >> Contact me!
> >> Need help fixing or optimising your systems?
> >> Contact me!
> >> Need help getting you started solving new requirements from your boss?
> >> Contact me!
> >>
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> >
>
>
> ------------------------------
>
> Message: 12
> Date: Fri, 22 Jan 2010 16:40:25 -0500
> From: Mike Wallace <mike at mlrw.com>
> Subject: Infected Messages Not Being Spam Checked
> To: mailscanner at lists.mailscanner.info
> Message-ID: <64AB5CB5-8BFD-4987-8CF3-A3AC9C89E9C9 at mlrw.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I am having a problem with Virus infected messages not being spam checked
> and getting delivered to users.
>
> My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin
> 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1
> from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following
> additional spamassassin rules; Sought, OpenProtect and a couple of custom
> ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a
> special mailbox. Anything >10.0 are deleted. This works great as I have a
> false positive rate of 0.16% and a false negative rate of 0.87% (if I
> exclude the viruses that passed). None of the false positives are high
> scoring spam >10.0.
>
> Here is an example of a message that was not spam checked:
>
> Return-Path: improvesx66 at wires.tv
> Received: from mailserver.mlrw.com (LHLO mailserver.mlrw.com) by
> mailserver.mlrw.com with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by mailserver.mlrw.com (Postfix) with ESMTP id 455AC1448859
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)
> X-Virus-Scanned: amavisd-new at mlrw.com
> Received: from gateway.mlrw.com
> by mailserver.mlrw.com (Postfix) with ESMTP id ECE031448858
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
> Received: from mx1.mailhop.org (mxout-144-iad.mailhop.org[216.146.32.144])
> by mlrw.com (Postfix) with ESMTP id 3E1FA2A00C4
> for <user at mlrw.com>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)
> Received: from noblet1.lnk.telstra.net (noblet1.lnk.telstra.net[165.228.74.75])
> by mx1.mailhop.org (Postfix) with ESMTP id CA691833D0B
> for <user at mlrw.com>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)
> Received: from 165.228.74.75 by mailstore1.secureserver.net; Fri, 22 Jan
> 2010 08:50:57 +1000
> Date: Fri, 22 Jan 2010 08:50:57 +1000
> From: "DHL Manager Keven Allen" <shipping at dhl.com>
> X-Mailer: The Bat! (v3.51.10) Professional
> Reply-To: improvesx66 at wires.tv
> X-Priority: 3 (Normal)
> Message-ID: <256744380.35200801834064 at wires.tv>
> To: user at mlrw.com
> Subject: {VIRUS?} DHL Delivery Problem Number 81419.
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----------4B369E401538E9"
> X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25
> X-MLRW-MailScanner-VirusCheck: Message was found to be infected
> X-MLRW-MailScanner-SpamCheck:
> X-MLRW-MailScanner-From: improvesx66 at wires.tv
>
>
> ------------4B369E401538E9
> Content-Type: text/plain; charset=Windows-1252
> Content-Transfer-Encoding: 7bit
>
> Dear customer!
>
> The courier company was not able to deliver your parcel by your address.
> Cause: Error in shipping address.
>
> You may pickup the parcel at our post office personaly!
>
> Attention!
> The shipping label is attached to this e-mail.
> Please print this label to get this package at our post office.
>
>
> Please do not reply to this e-mail, it is an unmonitored mailbox!
>
>
>
> Thank you.
> DHL Delivery Services.
>
>
>
>
> ------------4B369E401538E9
> Content-Type: application/zip; name="DHL_Label_NR06283.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"
>
> In the logs for clamd I see the following for that attachment:
> DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND
>
> If I run spamassassin against a quarantined copy of the message here is
> it's score:
>
> Content analysis details: (23.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.7 SARE_RECV_IP_FROMIP3 Received line is IP address
> from IP address
> 3.0 RCVD_IN_XBL RBL:
> Received via a relay in Spamhaus XBL
>
> [165.228.74.75 listed in zen.spamhaus.org]
> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> bl.spamcop.net
>
> [Blocked - see <http://www.spamcop.net/bl.shtml?165.228.74.75>]
> 1.0 BAYES_60 BODY:
> Bayesian spam probability is 60 to 80%
>
> [score: 0.6792]
> 0.5 RAZOR2_CHECK Listed in Razor2 (
> http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>
> above 50%
>
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above
> 50%
>
> [cf: 100]
> 3.7 PYZOR_CHECK Listed in Pyzor (
> http://pyzor.sf.net/)
> 2.2 DCC_CHECK Listed in
> DCC (http://rhyolite.com/anti-spam/dcc/)
> 0.0 DIGEST_MULTIPLE Message hits more
> than one network digest check
> 4.0 JM_SOUGHT_1 Body contains
> frequently-spammed text patterns
> 4.0 JM_SOUGHT_2 Body contains
> frequently-spammed text patterns
>
> As you can see it's greater than 10.0 which means it would have been
> deleted.
>
> Can anyone help me? I need to get these type of messages spam checked.
>
> Thanks.
>
> Mike
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/73cbd03d/attachment.html
>
> ------------------------------
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read the Wiki (http://wiki.mailscanner.info/).
>
> Support MailScanner development - buy the book off the website!
>
>
> End of MailScanner Digest, Vol 49, Issue 31
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100126/bc8372e5/attachment-0001.html
More information about the MailScanner
mailing list