MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory

Jerry Benton jerry.benton at mailborder.com
Mon Nov 28 11:19:29 UTC 2016 

Have you considered /var is out of space? 

-
Jerry Benton
www.mailborder.com
+1 - 844-436-6245



> On Nov 28, 2016, at 6:18 AM, Richard Mealing <richard at fastnet.co.uk> wrote:
> 
> Hi everyone,
>  
> It’s been a while since I posted to this list. 
>  
> I’ve had a few problems recently with a very large amount of incoming mail with viruses. We would usually see around 10M – 50M of quarantined items reaching us on a daily basis, but over the last week we have seen a dramatic increase, for example – 
>  
> /var/spool/MailScanner/quarantine # du -h -d0 *
> 10M    20161120
> 286M    20161121
> 508M    20161122
> 450M    20161123
> 517M    20161124
> 26M    20161125
> 61M    20161126
> 7.8M    20161127
> 90M    20161128
>  
> I am alerted by our monitoring software of my mailq.in directory reaching over 500 emails. When I look at mailscanner I see the following entries in my maillog – 
>  
> Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
> Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
> Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551
> Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory
> Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
> Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Infected message uANNO06T008551 came from 186.54.46.177
> Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551
> Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory
> Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
> Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Infected message uANNO06T008551 came from 186.54.46.177
>  
> This just goes on and on and from what I can tell MailScanner cannot process the email to my quarantine directory. Permissions are fine – since all emails prior to this where quarantined. The fix seems to be me removing the /var/spool/MailScanner/quarantine/20161123 folder altogether and letting mailscanner create it again. 
>  
> When I remove the directory and restart mailscanner, everything works fine again and the emails get sent to their respective folders that were in my queue. I assume mailscanner tries to read this directory and runs out of memory or something, since it has grown so large? I only ever get this problem when the directory is at a certain size, otherwise I never see any problems with mailscanner. 
>  
> Does anyone think this is a mailscanner problem, or something else? I’m wondering how to test this, maybe put some very large files in that directory and see how mailscanner copes? Or I could just put all the files in one of the large folders into today’s folder and see what happens, possibly run a –lint with the –D switch? 
>  
> Thanks,
> Rich
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner <http://lists.mailscanner.info/mailman/listinfo/mailscanner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161128/89dfbc48/attachment.html>

More information about the MailScanner mailing list