Messages being disarmed
Jason Waters
jason at geeknocity.com
Wed Dec 21 12:21:55 UTC 2016
Any ideas? I seem to be getting this a lot. I wouldn't care if I could
still see the email, but the email is just gone!
root at mailscanner:/var/log# cat /var/log/mail.log |grep "died, status = 13"
Dec 19 10:31:05 mailscanner MailScanner[2718]: HTML disarming died, status
= 13
Dec 19 11:02:59 mailscanner MailScanner[2718]: HTML disarming died, status
= 13
Dec 19 14:33:51 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 14:40:52 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 14:54:22 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 15:13:40 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 15:32:42 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 15:46:28 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 16:01:04 mailscanner MailScanner[5050]: HTML disarming died, status
= 13
Dec 19 20:24:19 mailscanner MailScanner[6774]: HTML disarming died, status
= 13
Dec 20 06:27:09 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 07:02:15 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died, status
= 13
Dec 20 18:47:15 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 20 19:48:13 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 20 20:01:14 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 20 20:02:16 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 20 21:32:22 mailscanner MailScanner[29724]: HTML disarming died, status
= 13
Dec 21 06:28:23 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 06:31:59 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 06:35:14 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 06:54:42 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 07:01:20 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 07:02:34 mailscanner MailScanner[416]: HTML disarming died, status =
13
Dec 21 07:07:01 mailscanner MailScanner[416]: HTML disarming died, status =
13
On Tue, Dec 20, 2016 at 8:10 AM, Jason Waters <jason at geeknocity.com> wrote:
> Well I thought it was fixed because I didn't get any for awhile but they
> seem to be back. That is what I don't get. Why it works and then just
> stops! I also have some issues where it stops logging to SQL. Still does
> all the checks and it says it logs to SQL, but it doesn't. I reboot and
> then it starts again. So here is some more information:
>
> cat /var/log/mail.log |grep "died, status = 13" -B5 -A5
>
> Dec 20 07:03:22 mailscanner MailScanner[12173]: Virus and Content
> Scanning: Starting
> Dec 20 07:03:25 mailscanner postfix/smtpd[14291]: disconnect from
> ccm183.constantcontact.com[208.75.123.183] ehlo=1 mail=1 rcpt=1 data=1
> quit=1 commands=5
> Dec 20 07:03:28 mailscanner MailScanner[12173]: <A> tag found in message
> D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+
> leeokdtsuuo6t6q==@in.constantcontact.com
> Dec 20 07:03:28 mailscanner MailScanner[12173]: HTML Img tag found in
> message D45B4E0B1B.A2260 from aysehmj0arkojatvg1/xivw==_
> 1103817698109_jrzjsl+leeokdtsuuo6t6q==@in.constantcontact.com
> Dec 20 07:03:44 mailscanner postfix/smtpd[14291]: connect from
> unknown[78.142.18.89]
> Dec 20 07:03:52 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 07:03:52 mailscanner MailScanner[12173]: Content Checks: Detected
> and have disarmed KILLED tags in HTML message in D45B4E0B1B.A2260 from
> aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@in.
> constantcontact.com
> Dec 20 07:03:53 mailscanner MailScanner[12173]: Requeue: D45B4E0B1B.A2260
> to 14619E0B20
> Dec 20 07:03:53 mailscanner postfix/qmgr[1736]: 14619E0B20:
> from=<aysehmj0arkojatvg1/xivw==_1103817698109_jrzjsl+leeokdtsuuo6t6q==@in.
> constantcontact.com>, size=19291, nrcpt=1 (queue active)
> Dec 20 07:03:53 mailscanner MailScanner[12173]: Uninfected: Delivered 1
> messages
> Dec 20 07:03:53 mailscanner MailScanner[12173]: Deleted 1 messages from
> processing-database
> --
> Dec 20 07:16:22 mailscanner MailScanner[13973]: Deleted 1 messages from
> processing-database
> Dec 20 07:16:22 mailscanner MailScanner[13973]: Logging message
> 2EDE1E0B20.ACEF5 to SQL
> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Found 2
> messages waiting
> Dec 20 07:16:22 mailscanner MailScanner[13973]: New Batch: Scanning 1
> messages, 707697 bytes
> Dec 20 07:16:23 mailscanner MailScanner[13973]: Virus and Content
> Scanning: Starting
> Dec 20 07:16:26 mailscanner MailScanner[12173]: HTML disarming died,
> status = 13
> Dec 20 07:16:26 mailscanner MailScanner[12173]: Content Checks: Detected
> and have disarmed KILLED tags in HTML message in D0DA1E0B21.A9AD3 from bo-
> b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com
> Dec 20 07:16:27 mailscanner MailScanner[12173]: Requeue: D0DA1E0B21.A9AD3
> to B6E49E0B20
> Dec 20 07:16:27 mailscanner postfix/qmgr[1736]: B6E49E0B20: from=<bo-
> b3aygrcbg7011zaut10bdcrjmm73vh at b.e.delta.com>, size=52671, nrcpt=1 (queue
> active)
> Dec 20 07:16:27 mailscanner MailScanner[12173]: Uninfected: Delivered 1
> messages
> Dec 20 07:16:27 mailscanner MailScanner[12173]: Deleted 1 messages from
> processing-database
>
> I thought I had everything setup to run as postfix..
>
> root at mailscanner:/etc/MailScanner# grep "= postfix" MailScanner.conf
> #Run As User = postfix
> Run As User = postfix
> #Run As Group = postfix
> Run As Group = postfix
> MTA = postfix
> Incoming Work User = postfix
> Incoming Work Group = postfix
> Quarantine User = postfix
> Quarantine Group = postfix
>
> Here is the entry for postfix in /etc/group
> postfix:x:117:clamav,www-data,mail
>
>
> Spool Permissions
> root at mailscanner:/var/spool/MailScanner# ls -l *
> -rw------- 1 postfix postfix 23 Nov 15 13:14 servers
>
> archive:
> total 0
>
> incoming:
> total 576
> drwxrwx--- 2 postfix postfix 4096 Dec 13 14:49 11490
> drwxrwx--- 2 postfix postfix 4096 Dec 20 07:43 12173
> drwxrwx--- 2 postfix postfix 4096 Dec 18 01:10 15039
> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1934
> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:08 1972
> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:05 2006
> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:02 2042
> drwxrwx--- 2 postfix postfix 4096 Dec 20 08:03 2096
> drwxrwx--- 2 postfix postfix 4096 Dec 14 11:24 21119
> drwxrwx--- 2 postfix postfix 4096 Dec 9 07:18 25816
> drwxrwx--- 2 postfix postfix 4096 Dec 12 01:31 26221
> drwxrwx--- 2 postfix postfix 4096 Dec 19 11:03 2718
> drwxrwx--- 3 postfix postfix 4096 Dec 8 11:14 27928
> drwxrwx--- 2 postfix postfix 4096 Dec 19 16:01 5050
> drwxrwx--- 2 postfix postfix 4096 Dec 7 09:08 5209
> drwxr-xr-x 2 postfix postfix 4096 Dec 20 07:45 Locks
> -rw-rw---- 1 postfix postfix 11264 Dec 20 08:08 Processing.db
> -rw-rw---- 1 postfix postfix 502784 Dec 20 08:08 SpamAssassin.cache.db
> drwxr-xr-x 2 postfix postfix 4096 Dec 20 08:08 SpamAssassin-Temp
>
> quarantine:
> total 128
> drwxrwx--- 4 postfix postfix 4096 Nov 19 00:05 20161119
> drwxrwx--- 4 postfix postfix 4096 Nov 20 00:35 20161120
> drwxrwx--- 6 postfix postfix 4096 Nov 21 17:20 20161121
> drwxrwx--- 9 postfix postfix 4096 Nov 22 17:48 20161122
> drwxrwx--- 5 postfix postfix 4096 Nov 23 08:21 20161123
> drwxrwx--- 5 postfix postfix 4096 Nov 24 08:12 20161124
> drwxrwx--- 6 postfix postfix 4096 Nov 25 00:55 20161125
> drwxrwx--- 4 postfix postfix 4096 Nov 26 01:00 20161126
> drwxrwx--- 4 postfix postfix 4096 Nov 27 01:38 20161127
> drwxrwx--- 4 postfix postfix 4096 Nov 28 00:01 20161128
> drwxrwx--- 7 postfix postfix 4096 Nov 29 09:41 20161129
> drwxrwx--- 7 postfix postfix 4096 Nov 30 22:28 20161130
> drwxrwx--- 6 postfix postfix 4096 Dec 1 20:15 20161201
> drwxrwx--- 9 postfix postfix 4096 Dec 2 10:15 20161202
> drwxrwx--- 4 postfix postfix 4096 Dec 3 01:33 20161203
> drwxrwx--- 4 postfix postfix 4096 Dec 4 01:05 20161204
> drwxrwx--- 6 postfix postfix 4096 Dec 5 21:56 20161205
> drwxrwx--- 8 postfix postfix 4096 Dec 6 22:40 20161206
> drwxrwx--- 5 postfix postfix 4096 Dec 7 19:16 20161207
> drwxrwx--- 59 postfix postfix 4096 Dec 8 13:51 20161208
> drwxrwx--- 14 postfix postfix 4096 Dec 9 19:05 20161209
> drwxrwx--- 5 postfix postfix 4096 Dec 10 07:18 20161210
> drwxrwx--- 6 postfix postfix 4096 Dec 11 13:35 20161211
> drwxrwx--- 9 postfix postfix 4096 Dec 12 20:51 20161212
> drwxrwx--- 7 postfix postfix 4096 Dec 13 15:11 20161213
> drwxrwx--- 11 postfix postfix 4096 Dec 14 22:08 20161214
> drwxrwx--- 7 postfix postfix 4096 Dec 15 15:40 20161215
> drwxrwx--- 10 postfix postfix 4096 Dec 16 16:11 20161216
> drwxrwx--- 6 postfix postfix 4096 Dec 17 15:11 20161217
> drwxrwx--- 7 postfix postfix 4096 Dec 18 15:10 20161218
> drwxrwx--- 12 postfix postfix 4096 Dec 19 20:10 20161219
> drwxrwx--- 6 postfix postfix 4096 Dec 20 07:18 20161220
>
> spamassassin:
> total 28
> -rwxrwx--- 1 postfix postfix 6 Nov 9 14:48 bayes.mutex
> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_seen
> -rwxrwx--- 1 postfix postfix 12288 Nov 9 14:48 bayes_toks
>
>
>
> Any other thoughts or places to check? Can I get more detail on the
> status 13?
>
>
>
>
>
> On Thu, Dec 8, 2016 at 12:52 PM, Jason Waters <jason at geeknocity.com>
> wrote:
>
>> Thanks for the help! I'll grep the log file and see what I see!
>>
>> On Thu, Dec 8, 2016 at 12:08 PM, Mark Sapiro <mark at msapiro.net> wrote:
>>
>>> On 12/08/2016 08:41 AM, Jason Waters wrote:
>>> > Great that seemed to fix it. So does that mean any email that had
>>> those
>>> > tags failed? Because it didn't seem to be the case. I would think the
>>> > majority of the emails have html in them. Thanks for your help!
>>>
>>>
>>> I'm not sure what it was that triggered the issue. I think you'll just
>>> have to wait and see if it recurs or not. If the test message was
>>> flagged as {disarmed} by MailScanner or you see "Content Checks:
>>> Detected and have disarmed xxx tags in HTML message" where xxx isn't
>>> KILLED, you're probably OK.
>>>
>>> One thing you can check is if all such log messages said KILLED prior to
>>> your changing the ownership and now they say other things and not
>>> KILLED, I'm sure it's fixed.
>>>
>>> --
>>> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
>>> San Francisco Bay Area, California better use your sense - B. Dylan
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161221/d25f27f6/attachment.html>
More information about the MailScanner
mailing list