All Emails tagged as {VIRUS}

Sebastiano Dante Alighieri salighie at gmail.com
Mon Apr 8 20:11:52 UTC 2019


it would appear that increasing
*Virus Scanner Timeout = 600* (up from 300)

in MailScanner.conf, fixed it for me... at least for now.

Now, mail is being virus-scanned and delivered successfully without any
misleading subject tags; Albeit at a seemingly slow rate (here's an excerpt
from the maillog showing the processing times of two email messages)

Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:
Starting
Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at 911
bytes per second
Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed at
299259 bytes per second

Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:
Starting
Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at 322
bytes per second
Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed at
131233 bytes per second


process [185871] took a little over 6 minutes to complete at a rate of
299259 bytes/sec
process [182275] took a little over 3 minutes to complete at a rate of 131233
bytes/sec

If we take process 185871 scanning at 299kbtes/sec taking a little over 6
minutes to complete - one might think at that rate, that a message of
100MB+ was scanned - but it's no where near that.

maybe it's I/O related... but i'm using a 256MB RAMDISK as the v-scanner's
temp directory, here is the line from my fstab
*tmpfs /var/spool/MailScanner/incoming tmpfs rw,size=256M 0 0*

other thoughts
I don't get why the timeout has to be so high, is clamav wrapper method
really that slow - is it a startup problem that would go away if i install
and integrate with the clamd.socket (I know members have said this is
preferable, just want to understand all aspects and why) or is there
something else going awry?

Or

Why is a virus scan timeout automatically treated as a virus / denial of
service attack - it seems to me that it should be configurable with
something like this
Virus Scanner Timeout Action = [detect|deliver|drop|etc]

thanks all for the support.

Best regards
Sebastiano

On Sat, Apr 6, 2019 at 9:49 AM yuwang <yuwang at cs.fsu.edu> wrote:

> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [2]
> >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>
> >> Error in line 1422, file
> >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for
> >> storedfilenamemessage does not exist (or can not be read) at
> >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."
>
> The file should be
> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"
>
> Your error message says /usr/share/MailScanner/reports/en/stored.fi
>
> What is the output of command:
>
>   grep 'stored.fi' /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
> and
>   ls -l /usr/share/MailScanner/reports/en/stored.filename.message.txt
>
> James
>
>
> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:
> > After I upgraded to the latest version, i get no mail; MailScanner
> > Crashes continuously
> >
> >> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: MAILSCANNER EMAIL
> >> PROCESSOR VERSION 5.1.3 STARTING...
> >>
> >> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading configuration
> >> file /etc/MailScanner/MailScanner.conf
> >>
> >> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading configuration
> >> file /etc/MailScanner/conf.d/README
> >>
> >> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: COULD NOT READ FILE
> >> THEM.
> >>
> >> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: ERROR IN LINE 1422,
> >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR
> >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >>
> >> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 1500 hostnames
> >> from the phishing whitelist
> >>
> >> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 16624 hostnames
> >> from the phishing blacklists
> >>
> >> Apr  6 04:12:24  MyHost  MailScanner[10890]: Using SpamAssassin
> >> results cache
> >>
> >> Apr  6 04:12:24  MyHost  MailScanner[10890]: Connected to
> >> SpamAssassin cache database
> >>
> >> Apr  6 04:12:25  MyHost  MailScanner[10890]: Enabling SpamAssassin
> >> auto-whitelist functionality...
> >>
> >> Apr  6 04:12:27  MyHost  MailScanner[10885]: Auto: Found virus
> >> scanners: clamav
> >>
> >> Apr  6 04:12:27  MyHost  MailScanner[10885]: Connected to Processing
> >> Attempts Database
> >>
> >> Apr  6 04:12:27  MyHost  MailScanner[10885]: Found 1 messages in the
> >> Processing Attempts Database
> >>
> >> Apr  6 04:12:27  MyHost  MailScanner[10885]: Using locktype = flock
> >>
> >> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: MAILSCANNER EMAIL
> >> PROCESSOR VERSION 5.1.3 STARTING...
> >>
> >> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading configuration
> >> file /etc/MailScanner/MailScanner.conf
> >>
> >> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading configuration
> >> file /etc/MailScanner/conf.d/README
> >>
> >> Apr  6 04:12:28  MyHost  MailScanner[10920]: Could not read file
> >> them.
> >>
> >> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: ERROR IN LINE 1422,
> >> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [1] THEM." FOR
> >> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >
> > This goes on while there's a message to be processed in the db, until
> > it detects too many crashes and quarantines the message.
> >
> > when a new message comes in, it starts all over again.
> >
> > MAILSCANNER LINT OUTPUT
> >
> >> Could not read file /usr/share/MailScanner/reports/en/stored.fi [2]
> >> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>
> >> Error in line 1422, file
> >> "/usr/share/MailScanner/reports/en/stored.fi [2] them." for
> >> storedfilenamemessage does not exist (or can not be read) at
> >> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.
> >
> > On Fri, Apr 5, 2019 at 8:31 PM yuwang <yuwang at cs.fsu.edu> wrote:
> >
> >> My guess is clamav update issue. What happens when you 'Mailscanner
> >> Lint'? use strace to attach to clam process, use lsof to see open
> >> files,
> >> and turn on debug mode on clam might help too.
> >>
> >> James
> >>
> >> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:
> >>> Hi,
> >>>
> >>> In the past couple of days my email is all coming in with the
> >> subject
> >>> line tagged as {VIRUS}. This is true for all mail, but of course
> >>> there's no virus involved.
> >>>
> >>> Mailscanner v5.0.7
> >>> ClamAV v0.100.0
> >>>
> >>>> ClamAV update process started at Fri Apr  5 18:41:07 2019
> >>>>
> >>>> WARNING: Your ClamAV installation is OUTDATED!
> >>>>
> >>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2
> >>>>
> >>>> DON'T PANIC! Read
> >> https://www.clamav.net/documents/upgrading-clamav
> >>>>
> >>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60,
> >>>> builder: sigmgr)
> >>>>
> >>>> daily.cld is up to date (version: 25410, sigs: 1552552, f-level:
> >> 63,
> >>>> builder: raynman)
> >>>>
> >>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63,
> >>>> builder: neo)
> >>>
> >>> A review of /var/log/maillog suggests that there's a problem with
> >>> ClamAV
> >>>
> >>>> Apr  5 18:31:22 myhost MailScanner[7448]: Virus and Content
> >>>> Scanning: Starting
> >>>>
> >>>> Apr  5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED
> >> OUT
> >>>>
> >>>> Apr  5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO
> >>>> COMPLETE, TIMED OUT
> >>>>
> >>>> Apr  5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL
> >> OF
> >>>> SERVICE ATTACK DETECTED!
> >>>
> >>> I've tried to observe what is happening on the system, while mail
> >> is
> >>> being scanned and what i can surmise is that clamscan is
> >> timing-out
> >>> (uses 100% CPU)
> >>>
> >>> any pointers would be greatly appreciated. I have not been able to
> >>> find anything online.
> >>>
> >>> I'll try upgrading to the latest and greatest MailScanner in the
> >> mean
> >>> time.
> >>>
> >>> thanks
> >>> Salighie
> >
> >
> > Links:
> > ------
> > [1] http://stored.fi
> > [2] http://stored.fi/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190408/0c5dfbda/attachment.html>


More information about the MailScanner mailing list