All Emails tagged as {VIRUS}

Yu Wang yuwang at cs.fsu.edu
Wed Apr 10 13:47:14 UTC 2019


Mine runs less than 2 seconds but 8 seconds is not too bad. It could be that you have a slower machine. Clamav seems to be the pita. What MTA do you run, Postfix?

 

 

From: Sebastiano Dante Alighieri <salighie at gmail.com> 
Sent: Tuesday, April 9, 2019 1:41 PM
To: Yu Wang <yuwang at cs.fsu.edu>
Cc: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: All Emails tagged as {VIRUS}

 

spamassassin processing time:

 

real    0m7.930s

user    0m7.607s

sys     0m0.309s

 

delete the duplicate db

 

looking into spamassassin error: seems Geo::IP and Net::Patricia are not installed

i'll try to install them now

 

On Tue, Apr 9, 2019 at 11:51 AM Yu Wang <yuwang at cs.fsu.edu <mailto:yuwang at cs.fsu.edu> > wrote:

Your spamassassin reported one error. You may want to check and fix it.

 

My MailScanner –lint runs in 2.3 seconds, yours ran 160 seconds. 

 

How long does it take to run this one:

 

time spamassassin -D --lint

 

You also have duplicated clamav databases. See below in red font color.

 

James

 

From: Sebastiano Dante Alighieri <salighie at gmail.com <mailto:salighie at gmail.com> > 
Sent: Monday, April 8, 2019 4:41 PM
To: Yu Wang <yuwang at cs.fsu.edu <mailto:yuwang at cs.fsu.edu> >
Cc: MailScanner Discussion <mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info> >
Subject: Re: All Emails tagged as {VIRUS}

 

[root at MyHost ~]# time MailScanner --lint

Trying to setlogsock(unix)

 

Reading configuration file /etc/MailScanner/MailScanner.conf

Reading configuration file /etc/MailScanner/conf.d/README

Read 868 hostnames from the phishing whitelist

Read 5807 hostnames from the phishing blacklists

 

Checking version numbers...

Version number in MailScanner.conf (5.1.3) is correct.

 

Your setting "Mail Header" contains illegal characters.

This is most likely caused by your "%org-name%" setting

which must not contain any spaces, "." or "_" characters

as these are known to cause problems with many mail systems.

 

MailScanner setting GID to  (1002)

MailScanner setting UID to  (89)

 

Checking for SpamAssassin errors (if you use it)...

Using SpamAssassin results cache

Connected to SpamAssassin cache database

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 0.9

config: Strange rule token: 0.6

config: Strange rule token: 1.2

config: Strange rule token: -1.0

config: Strange rule token: 0.6

config: Strange rule token: 0.5

config: Strange rule token: 1.5

config: Strange rule token: 0.6

config: Strange rule token: 1.2

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.2

config: Strange rule token: 0.6

config: Strange rule token: 0.5

config: Strange rule token: 0.6

config: Strange rule token: 0.8

config: Strange rule token: 1.3

config: Strange rule token: 0.9

config: Strange rule token: 0.5

config: Strange rule token: 0.6

config: Strange rule token: 2.9

config: Strange rule token: 2.9

config: Strange rule token: 0.9

config: Strange rule token: 0.6

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.9

config: Strange rule token: 1.5

config: Strange rule token: 1.5

config: Strange rule token: 1.5

config: Strange rule token: 0.3

config: Strange rule token: 0.3

config: Strange rule token: 0.3

SpamAssassin reported an error.

Auto: Found virus scanners: clamav

Connected to Processing Attempts Database

Created Processing Attempts Database successfully

There are 0 messages in the Processing Attempts Database

Using locktype = posix

MailScanner.conf says "Virus Scanners = auto"

Found these virus scanners installed: clamav

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com <http://eicar.com> )

Filetype Checks: Allowing 1 eicar.com <http://eicar.com> 

Other Checks: Found 1 problems

Virus and Content Scanning: Starting

LibClamAV Warning: Detected duplicate databases /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please manually remove one of them

1.message: Eicar-Test-Signature FOUND

 

./1/eicar.com <http://eicar.com> : Eicar-Test-Signature FOUND

 

Virus Scanning: ClamAV found 2 infections

Infected message 1 came from 10.1.1.1

Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports:

ClamAV said "eicar.com <http://eicar.com>  contains Eicar-Test-Signature"

 

If any of your virus scanners (clamav)

are not listed there, you should check that they are installed correctly

and that MailScanner is finding them correctly via its virus.scanners.conf.

 

real    2m41.113s

user    2m36.969s

sys     0m3.452s

 

 

On Mon, Apr 8, 2019 at 4:32 PM yuwang <yuwang at cs.fsu.edu <mailto:yuwang at cs.fsu.edu> > wrote:

What's the runtime for 'time Mailscanner --lint'?

If you can, try Mark's suggestion and use clamd. I first used clamav and 
had performance issues, changed to clamd and everything has been fast 
since.

James

On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote:
> it would appear that increasing
> 
> VIRUS SCANNER TIMEOUT = 600 (up from 300)
> 
> in MailScanner.conf, fixed it for me... at least for now.
> 
> Now, mail is being virus-scanned and delivered successfully without
> any misleading subject tags; Albeit at a seemingly slow rate (here's
> an excerpt from the maillog showing the processing times of two email
> messages)
> 
> Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:
> Starting
> 
> Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at
> 911 bytes per second
> Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed
> at 299259 bytes per second
> 
> Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:
> Starting
> Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at
> 322 bytes per second
> 
> Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed
> at 131233 bytes per second
> 
> process [185871] took a little over 6 minutes to complete at a rate of
> 299259 bytes/sec
> process [182275] took a little over 3 minutes to complete at a rate of
> 131233 bytes/sec
> 
> If we take process 185871 scanning at 299kbtes/sec taking a little
> over 6 minutes to complete - one might think at that rate, that a
> message of 100MB+ was scanned - but it's no where near that.
> 
> maybe it's I/O related... but i'm using a 256MB RAMDISK as the
> v-scanner's temp directory, here is the line from my fstab
> TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0
> 
> other thoughts
> 
> I don't get why the timeout has to be so high, is clamav wrapper
> method really that slow - is it a startup problem that would go away
> if i install and integrate with the clamd.socket (I know members have
> said this is preferable, just want to understand all aspects and why)
> or is there something else going awry?
> 
> Or
> 
> Why is a virus scan timeout automatically treated as a virus / denial
> of service attack - it seems to me that it should be configurable with
> something like this
> Virus Scanner Timeout Action = [detect|deliver|drop|etc]
> 
> thanks all for the support.
> 
> Best regards
> Sebastiano
> 
> On Sat, Apr 6, 2019 at 9:49 AM yuwang <yuwang at cs.fsu.edu <mailto:yuwang at cs.fsu.edu> > wrote:
> 
>> "Could not read file /usr/share/MailScanner/reports/en/stored.fi <http://stored.fi>  [1]
>> [2]
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
>>>> 
>>>> Error in line 1422, file
>>>> "/usr/share/MailScanner/reports/en/stored.fi <http://stored.fi>  [1] [2] them." for
>>>> storedfilenamemessage does not exist (or can not be read) at
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."
>> 
>> The file should be
>> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"
>> 
>> Your error message says /usr/share/MailScanner/reports/en/stored.fi <http://stored.fi> 
>> [1]
>> 
>> What is the output of command:
>> 
>> grep 'stored.fi <http://stored.fi>  [1]'
>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
>> and
>> ls -l
>> /usr/share/MailScanner/reports/en/stored.filename.message.txt
>> 
>> James
>> 
>> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:
>>> After I upgraded to the latest version, i get no mail; MailScanner
>>> Crashes continuously
>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: MAILSCANNER EMAIL
>>>> PROCESSOR VERSION 5.1.3 STARTING...
>>>> 
>>>> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading
>> configuration
>>>> file /etc/MailScanner/MailScanner.conf
>>>> 
>>>> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading
>> configuration
>>>> file /etc/MailScanner/conf.d/README
>>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: COULD NOT READ FILE
>>>> THEM.
>>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: ERROR IN LINE 1422,
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI <http://STORED.FI>  [2] [1] THEM."
>> FOR
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 1500 hostnames
>>>> from the phishing whitelist
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 16624 hostnames
>>>> from the phishing blacklists
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Using SpamAssassin
>>>> results cache
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Connected to
>>>> SpamAssassin cache database
>>>> 
>>>> Apr  6 04:12:25  MyHost  MailScanner[10890]: Enabling
>> SpamAssassin
>>>> auto-whitelist functionality...
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Auto: Found virus
>>>> scanners: clamav
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Connected to
>> Processing
>>>> Attempts Database
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Found 1 messages in
>> the
>>>> Processing Attempts Database
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Using locktype =
>> flock
>>>> 
>>>> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: MAILSCANNER EMAIL
>>>> PROCESSOR VERSION 5.1.3 STARTING...
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading
>> configuration
>>>> file /etc/MailScanner/MailScanner.conf
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading
>> configuration
>>>> file /etc/MailScanner/conf.d/README
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Could not read file
>>>> them.
>>>> 
>>>> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: ERROR IN LINE 1422,
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI <http://STORED.FI>  [2] [1] THEM."
>> FOR
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
>>> 
>>> This goes on while there's a message to be processed in the db,
>> until
>>> it detects too many crashes and quarantines the message.
>>> 
>>> when a new message comes in, it starts all over again.
>>> 
>>> MAILSCANNER LINT OUTPUT
>>> 
>>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi <http://stored.fi> 
>> [1] [2]
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
>>>> 
>>>> Error in line 1422, file
>>>> "/usr/share/MailScanner/reports/en/stored.fi <http://stored.fi>  [1] [2] them." for
>>>> storedfilenamemessage does not exist (or can not be read) at
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.
>>> 
>>> On Fri, Apr 5, 2019 at 8:31 PM yuwang <yuwang at cs.fsu.edu <mailto:yuwang at cs.fsu.edu> > wrote:
>>> 
>>>> My guess is clamav update issue. What happens when you
>> 'Mailscanner
>>>> Lint'? use strace to attach to clam process, use lsof to see open
>>>> files,
>>>> and turn on debug mode on clam might help too.
>>>> 
>>>> James
>>>> 
>>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:
>>>>> Hi,
>>>>> 
>>>>> In the past couple of days my email is all coming in with the
>>>> subject
>>>>> line tagged as {VIRUS}. This is true for all mail, but of course
>>>>> there's no virus involved.
>>>>> 
>>>>> Mailscanner v5.0.7
>>>>> ClamAV v0.100.0
>>>>> 
>>>>>> ClamAV update process started at Fri Apr  5 18:41:07 2019
>>>>>> 
>>>>>> WARNING: Your ClamAV installation is OUTDATED!
>>>>>> 
>>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2
>>>>>> 
>>>>>> DON'T PANIC! Read
>>>> https://www.clamav.net/documents/upgrading-clamav
>>>>>> 
>>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level:
>> 60,
>>>>>> builder: sigmgr)
>>>>>> 
>>>>>> daily.cld is up to date (version: 25410, sigs: 1552552,
>> f-level:
>>>> 63,
>>>>>> builder: raynman)
>>>>>> 
>>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level:
>> 63,
>>>>>> builder: neo)
>>>>> 
>>>>> A review of /var/log/maillog suggests that there's a problem
>> with
>>>>> ClamAV
>>>>> 
>>>>>> Apr  5 18:31:22 myhost MailScanner[7448]: Virus and Content
>>>>>> Scanning: Starting
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV
>> TIMED
>>>> OUT
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO
>>>>>> COMPLETE, TIMED OUT
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING:
>> DENIAL
>>>> OF
>>>>>> SERVICE ATTACK DETECTED!
>>>>> 
>>>>> I've tried to observe what is happening on the system, while
>> mail
>>>> is
>>>>> being scanned and what i can surmise is that clamscan is
>>>> timing-out
>>>>> (uses 100% CPU)
>>>>> 
>>>>> any pointers would be greatly appreciated. I have not been able
>> to
>>>>> find anything online.
>>>>> 
>>>>> I'll try upgrading to the latest and greatest MailScanner in the
>>>> mean
>>>>> time.
>>>>> 
>>>>> thanks
>>>>> Salighie
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] http://stored.fi
>>> [2] http://stored.fi/
> 
> 
> Links:
> ------
> [1] http://stored.fi
> [2] http://STORED.FI

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190410/68815b4c/attachment.html>


More information about the MailScanner mailing list