All Emails tagged as {VIRUS}
Sebastiano Dante Alighieri
salighie at gmail.com
Mon Apr 8 20:40:36 UTC 2019
[root at MyHost ~]# time MailScanner --lint
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 868 hostnames from the phishing whitelist
Read 5807 hostnames from the phishing blacklists
Checking version numbers...
Version number in MailScanner.conf (5.1.3) is correct.
Your setting "Mail Header" contains illegal characters.
This is most likely caused by your "%org-name%" setting
which must not contain any spaces, "." or "_" characters
as these are known to cause problems with many mail systems.
MailScanner setting GID to (1002)
MailScanner setting UID to (89)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 0.9
config: Strange rule token: 0.6
config: Strange rule token: 1.2
config: Strange rule token: -1.0
config: Strange rule token: 0.6
config: Strange rule token: 0.5
config: Strange rule token: 1.5
config: Strange rule token: 0.6
config: Strange rule token: 1.2
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.2
config: Strange rule token: 0.6
config: Strange rule token: 0.5
config: Strange rule token: 0.6
config: Strange rule token: 0.8
config: Strange rule token: 1.3
config: Strange rule token: 0.9
config: Strange rule token: 0.5
config: Strange rule token: 0.6
config: Strange rule token: 2.9
config: Strange rule token: 2.9
config: Strange rule token: 0.9
config: Strange rule token: 0.6
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.9
config: Strange rule token: 1.5
config: Strange rule token: 1.5
config: Strange rule token: 1.5
config: Strange rule token: 0.3
config: Strange rule token: 0.3
config: Strange rule token: 0.3
SpamAssassin reported an error.
Auto: Found virus scanners: clamav
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = auto"
Found these virus scanners installed: clamav
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Filetype Checks: Allowing 1 eicar.com
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
LibClamAV Warning: Detected duplicate databases
/var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please
manually remove one of them
1.message: Eicar-Test-Signature FOUND
./1/eicar.com: Eicar-Test-Signature FOUND
Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com contains Eicar-Test-Signature"
If any of your virus scanners (clamav)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
real 2m41.113s
user 2m36.969s
sys 0m3.452s
On Mon, Apr 8, 2019 at 4:32 PM yuwang <yuwang at cs.fsu.edu> wrote:
> What's the runtime for 'time Mailscanner --lint'?
>
> If you can, try Mark's suggestion and use clamd. I first used clamav and
> had performance issues, changed to clamd and everything has been fast
> since.
>
> James
>
> On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote:
> > it would appear that increasing
> >
> > VIRUS SCANNER TIMEOUT = 600 (up from 300)
> >
> > in MailScanner.conf, fixed it for me... at least for now.
> >
> > Now, mail is being virus-scanned and delivered successfully without
> > any misleading subject tags; Albeit at a seemingly slow rate (here's
> > an excerpt from the maillog showing the processing times of two email
> > messages)
> >
> > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:
> > Starting
> >
> > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at
> > 911 bytes per second
> > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed
> > at 299259 bytes per second
> >
> > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:
> > Starting
> > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at
> > 322 bytes per second
> >
> > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed
> > at 131233 bytes per second
> >
> > process [185871] took a little over 6 minutes to complete at a rate of
> > 299259 bytes/sec
> > process [182275] took a little over 3 minutes to complete at a rate of
> > 131233 bytes/sec
> >
> > If we take process 185871 scanning at 299kbtes/sec taking a little
> > over 6 minutes to complete - one might think at that rate, that a
> > message of 100MB+ was scanned - but it's no where near that.
> >
> > maybe it's I/O related... but i'm using a 256MB RAMDISK as the
> > v-scanner's temp directory, here is the line from my fstab
> > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0
> >
> > other thoughts
> >
> > I don't get why the timeout has to be so high, is clamav wrapper
> > method really that slow - is it a startup problem that would go away
> > if i install and integrate with the clamd.socket (I know members have
> > said this is preferable, just want to understand all aspects and why)
> > or is there something else going awry?
> >
> > Or
> >
> > Why is a virus scan timeout automatically treated as a virus / denial
> > of service attack - it seems to me that it should be configurable with
> > something like this
> > Virus Scanner Timeout Action = [detect|deliver|drop|etc]
> >
> > thanks all for the support.
> >
> > Best regards
> > Sebastiano
> >
> > On Sat, Apr 6, 2019 at 9:49 AM yuwang <yuwang at cs.fsu.edu> wrote:
> >
> >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1]
> >> [2]
> >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>>>
> >>>> Error in line 1422, file
> >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
> >>>> storedfilenamemessage does not exist (or can not be read) at
> >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."
> >>
> >> The file should be
> >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"
> >>
> >> Your error message says /usr/share/MailScanner/reports/en/stored.fi
> >> [1]
> >>
> >> What is the output of command:
> >>
> >> grep 'stored.fi [1]'
> >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
> >> and
> >> ls -l
> >> /usr/share/MailScanner/reports/en/stored.filename.message.txt
> >>
> >> James
> >>
> >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:
> >>> After I upgraded to the latest version, i get no mail; MailScanner
> >>> Crashes continuously
> >>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL
> >>>> PROCESSOR VERSION 5.1.3 STARTING...
> >>>>
> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading
> >> configuration
> >>>> file /etc/MailScanner/MailScanner.conf
> >>>>
> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading
> >> configuration
> >>>> file /etc/MailScanner/conf.d/README
> >>>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE
> >>>> THEM.
> >>>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422,
> >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
> >> FOR
> >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames
> >>>> from the phishing whitelist
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames
> >>>> from the phishing blacklists
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin
> >>>> results cache
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to
> >>>> SpamAssassin cache database
> >>>>
> >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling
> >> SpamAssassin
> >>>> auto-whitelist functionality...
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus
> >>>> scanners: clamav
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to
> >> Processing
> >>>> Attempts Database
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in
> >> the
> >>>> Processing Attempts Database
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype =
> >> flock
> >>>>
> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL
> >>>> PROCESSOR VERSION 5.1.3 STARTING...
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading
> >> configuration
> >>>> file /etc/MailScanner/MailScanner.conf
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading
> >> configuration
> >>>> file /etc/MailScanner/conf.d/README
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file
> >>>> them.
> >>>>
> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422,
> >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
> >> FOR
> >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >>>
> >>> This goes on while there's a message to be processed in the db,
> >> until
> >>> it detects too many crashes and quarantines the message.
> >>>
> >>> when a new message comes in, it starts all over again.
> >>>
> >>> MAILSCANNER LINT OUTPUT
> >>>
> >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi
> >> [1] [2]
> >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>>>
> >>>> Error in line 1422, file
> >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
> >>>> storedfilenamemessage does not exist (or can not be read) at
> >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.
> >>>
> >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang <yuwang at cs.fsu.edu> wrote:
> >>>
> >>>> My guess is clamav update issue. What happens when you
> >> 'Mailscanner
> >>>> Lint'? use strace to attach to clam process, use lsof to see open
> >>>> files,
> >>>> and turn on debug mode on clam might help too.
> >>>>
> >>>> James
> >>>>
> >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:
> >>>>> Hi,
> >>>>>
> >>>>> In the past couple of days my email is all coming in with the
> >>>> subject
> >>>>> line tagged as {VIRUS}. This is true for all mail, but of course
> >>>>> there's no virus involved.
> >>>>>
> >>>>> Mailscanner v5.0.7
> >>>>> ClamAV v0.100.0
> >>>>>
> >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019
> >>>>>>
> >>>>>> WARNING: Your ClamAV installation is OUTDATED!
> >>>>>>
> >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2
> >>>>>>
> >>>>>> DON'T PANIC! Read
> >>>> https://www.clamav.net/documents/upgrading-clamav
> >>>>>>
> >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level:
> >> 60,
> >>>>>> builder: sigmgr)
> >>>>>>
> >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552,
> >> f-level:
> >>>> 63,
> >>>>>> builder: raynman)
> >>>>>>
> >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level:
> >> 63,
> >>>>>> builder: neo)
> >>>>>
> >>>>> A review of /var/log/maillog suggests that there's a problem
> >> with
> >>>>> ClamAV
> >>>>>
> >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content
> >>>>>> Scanning: Starting
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV
> >> TIMED
> >>>> OUT
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO
> >>>>>> COMPLETE, TIMED OUT
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING:
> >> DENIAL
> >>>> OF
> >>>>>> SERVICE ATTACK DETECTED!
> >>>>>
> >>>>> I've tried to observe what is happening on the system, while
> >> mail
> >>>> is
> >>>>> being scanned and what i can surmise is that clamscan is
> >>>> timing-out
> >>>>> (uses 100% CPU)
> >>>>>
> >>>>> any pointers would be greatly appreciated. I have not been able
> >> to
> >>>>> find anything online.
> >>>>>
> >>>>> I'll try upgrading to the latest and greatest MailScanner in the
> >>>> mean
> >>>>> time.
> >>>>>
> >>>>> thanks
> >>>>> Salighie
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] http://stored.fi
> >>> [2] http://stored.fi/
> >
> >
> > Links:
> > ------
> > [1] http://stored.fi
> > [2] http://STORED.FI
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190408/ea37e14d/attachment.html>
More information about the MailScanner
mailing list