MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory

Richard Mealing richard at fastnet.co.uk
Mon Nov 28 11:34:18 UTC 2016


Hi Jerry,

That was my initial thought and all have adequate space. Some of them have 100+G for /var.
I was seeing this on 3 – 4 servers in my cluster. Some of them are physical, some are virtual. One of my physical servers I can see has a similar high amount of quarantined items, but that didn’t have any problems. It was very strange!

Thanks,
Rich


From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Jerry Benton
Sent: Monday, November 28, 2016 11:19
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: MailScanner / Sendmail / FreeBSD - writing to /var/spool/MailScanner/quarantine/20161123/uANNOfAO00xxx/message: No such file or directory

Have you considered /var is out of space?

-
Jerry Benton
www.mailborder.com<http://www.mailborder.com>
+1 - 844-436-6245


On Nov 28, 2016, at 6:18 AM, Richard Mealing <richard at fastnet.co.uk<mailto:richard at fastnet.co.uk>> wrote:

Hi everyone,

It’s been a while since I posted to this list.

I’ve had a few problems recently with a very large amount of incoming mail with viruses. We would usually see around 10M – 50M of quarantined items reaching us on a daily basis, but over the last week we have seen a dramatic increase, for example –

/var/spool/MailScanner/quarantine # du -h -d0 *
10M    20161120
286M    20161121
508M    20161122
450M    20161123
517M    20161124
26M    20161125
61M    20161126
7.8M    20161127
90M    20161128

I am alerted by our monitoring software of my mailq.in directory reaching over 500 emails. When I look at mailscanner I see the following entries in my maillog –

Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551
Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory
Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/
Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Infected message uANNO06T008551 came from 186.54.46.177
Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551
Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory
Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip
Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Infected message uANNO06T008551 came from 186.54.46.177

This just goes on and on and from what I can tell MailScanner cannot process the email to my quarantine directory. Permissions are fine – since all emails prior to this where quarantined. The fix seems to be me removing the /var/spool/MailScanner/quarantine/20161123 folder altogether and letting mailscanner create it again.

When I remove the directory and restart mailscanner, everything works fine again and the emails get sent to their respective folders that were in my queue. I assume mailscanner tries to read this directory and runs out of memory or something, since it has grown so large? I only ever get this problem when the directory is at a certain size, otherwise I never see any problems with mailscanner.

Does anyone think this is a mailscanner problem, or something else? I’m wondering how to test this, maybe put some very large files in that directory and see how mailscanner copes? Or I could just put all the files in one of the large folders into today’s folder and see what happens, possibly run a –lint with the –D switch?

Thanks,
Rich


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20161128/ecd64b54/attachment.html>


More information about the MailScanner mailing list