All Emails tagged as {VIRUS}
Sebastiano Dante Alighieri
salighie at gmail.com
Wed Apr 10 13:58:17 UTC 2019
yes, postfix.
On Wed, Apr 10, 2019 at 9:47 AM Yu Wang <yuwang at cs.fsu.edu> wrote:
> Mine runs less than 2 seconds but 8 seconds is not too bad. It could be
> that you have a slower machine. Clamav seems to be the pita. What MTA do
> you run, Postfix?
>
>
>
>
>
> *From:* Sebastiano Dante Alighieri <salighie at gmail.com>
> *Sent:* Tuesday, April 9, 2019 1:41 PM
> *To:* Yu Wang <yuwang at cs.fsu.edu>
> *Cc:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: All Emails tagged as {VIRUS}
>
>
>
> spamassassin processing time:
>
>
>
> real 0m7.930s
>
> user 0m7.607s
>
> sys 0m0.309s
>
>
>
> delete the duplicate db
>
>
>
> looking into spamassassin error: seems Geo::IP and Net::Patricia are not
> installed
>
> i'll try to install them now
>
>
>
> On Tue, Apr 9, 2019 at 11:51 AM Yu Wang <yuwang at cs.fsu.edu> wrote:
>
> Your spamassassin reported one error. You may want to check and fix it.
>
>
>
> My MailScanner –lint runs in 2.3 seconds, yours ran 160 seconds.
>
>
>
> How long does it take to run this one:
>
>
>
> time spamassassin -D --lint
>
>
>
> You also have duplicated clamav databases. See below in red font color.
>
>
>
> James
>
>
>
> *From:* Sebastiano Dante Alighieri <salighie at gmail.com>
> *Sent:* Monday, April 8, 2019 4:41 PM
> *To:* Yu Wang <yuwang at cs.fsu.edu>
> *Cc:* MailScanner Discussion <mailscanner at lists.mailscanner.info>
> *Subject:* Re: All Emails tagged as {VIRUS}
>
>
>
> [root at MyHost ~]# time MailScanner --lint
>
> Trying to setlogsock(unix)
>
>
>
> Reading configuration file /etc/MailScanner/MailScanner.conf
>
> Reading configuration file /etc/MailScanner/conf.d/README
>
> Read 868 hostnames from the phishing whitelist
>
> Read 5807 hostnames from the phishing blacklists
>
>
>
> Checking version numbers...
>
> Version number in MailScanner.conf (5.1.3) is correct.
>
>
>
> Your setting "Mail Header" contains illegal characters.
>
> This is most likely caused by your "%org-name%" setting
>
> which must not contain any spaces, "." or "_" characters
>
> as these are known to cause problems with many mail systems.
>
>
>
> MailScanner setting GID to (1002)
>
> MailScanner setting UID to (89)
>
>
>
> Checking for SpamAssassin errors (if you use it)...
>
> Using SpamAssassin results cache
>
> Connected to SpamAssassin cache database
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 0.9
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 1.2
>
> config: Strange rule token: -1.0
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 0.5
>
> config: Strange rule token: 1.5
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 1.2
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.2
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 0.5
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 0.8
>
> config: Strange rule token: 1.3
>
> config: Strange rule token: 0.9
>
> config: Strange rule token: 0.5
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 2.9
>
> config: Strange rule token: 2.9
>
> config: Strange rule token: 0.9
>
> config: Strange rule token: 0.6
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.9
>
> config: Strange rule token: 1.5
>
> config: Strange rule token: 1.5
>
> config: Strange rule token: 1.5
>
> config: Strange rule token: 0.3
>
> config: Strange rule token: 0.3
>
> config: Strange rule token: 0.3
>
> SpamAssassin reported an error.
>
> Auto: Found virus scanners: clamav
>
> Connected to Processing Attempts Database
>
> Created Processing Attempts Database successfully
>
> There are 0 messages in the Processing Attempts Database
>
> Using locktype = posix
>
> MailScanner.conf says "Virus Scanners = auto"
>
> Found these virus scanners installed: clamav
>
> ===========================================================================
>
> Filename Checks: Windows/DOS Executable (1 eicar.com)
>
> Filetype Checks: Allowing 1 eicar.com
>
> Other Checks: Found 1 problems
>
> Virus and Content Scanning: Starting
>
> LibClamAV Warning: Detected duplicate databases
> /var/lib/clamav/bytecode.cvd and /var/lib/clamav/bytecode.cld, please
> manually remove one of them
>
> 1.message: Eicar-Test-Signature FOUND
>
>
>
> ./1/eicar.com: Eicar-Test-Signature FOUND
>
>
>
> Virus Scanning: ClamAV found 2 infections
>
> Infected message 1 came from 10.1.1.1
>
> Virus Scanning: Found 2 viruses
>
> ===========================================================================
>
> Virus Scanner test reports:
>
> ClamAV said "eicar.com contains Eicar-Test-Signature"
>
>
>
> If any of your virus scanners (clamav)
>
> are not listed there, you should check that they are installed correctly
>
> and that MailScanner is finding them correctly via its virus.scanners.conf.
>
>
>
> real 2m41.113s
>
> user 2m36.969s
>
> sys 0m3.452s
>
>
>
>
>
> On Mon, Apr 8, 2019 at 4:32 PM yuwang <yuwang at cs.fsu.edu> wrote:
>
> What's the runtime for 'time Mailscanner --lint'?
>
> If you can, try Mark's suggestion and use clamd. I first used clamav and
> had performance issues, changed to clamd and everything has been fast
> since.
>
> James
>
> On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote:
> > it would appear that increasing
> >
> > VIRUS SCANNER TIMEOUT = 600 (up from 300)
> >
> > in MailScanner.conf, fixed it for me... at least for now.
> >
> > Now, mail is being virus-scanned and delivered successfully without
> > any misleading subject tags; Albeit at a seemingly slow rate (here's
> > an excerpt from the maillog showing the processing times of two email
> > messages)
> >
> > Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:
> > Starting
> >
> > Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at
> > 911 bytes per second
> > Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed
> > at 299259 bytes per second
> >
> > Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:
> > Starting
> > Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at
> > 322 bytes per second
> >
> > Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed
> > at 131233 bytes per second
> >
> > process [185871] took a little over 6 minutes to complete at a rate of
> > 299259 bytes/sec
> > process [182275] took a little over 3 minutes to complete at a rate of
> > 131233 bytes/sec
> >
> > If we take process 185871 scanning at 299kbtes/sec taking a little
> > over 6 minutes to complete - one might think at that rate, that a
> > message of 100MB+ was scanned - but it's no where near that.
> >
> > maybe it's I/O related... but i'm using a 256MB RAMDISK as the
> > v-scanner's temp directory, here is the line from my fstab
> > TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0
> >
> > other thoughts
> >
> > I don't get why the timeout has to be so high, is clamav wrapper
> > method really that slow - is it a startup problem that would go away
> > if i install and integrate with the clamd.socket (I know members have
> > said this is preferable, just want to understand all aspects and why)
> > or is there something else going awry?
> >
> > Or
> >
> > Why is a virus scan timeout automatically treated as a virus / denial
> > of service attack - it seems to me that it should be configurable with
> > something like this
> > Virus Scanner Timeout Action = [detect|deliver|drop|etc]
> >
> > thanks all for the support.
> >
> > Best regards
> > Sebastiano
> >
> > On Sat, Apr 6, 2019 at 9:49 AM yuwang <yuwang at cs.fsu.edu> wrote:
> >
> >> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1]
> >> [2]
> >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>>>
> >>>> Error in line 1422, file
> >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
> >>>> storedfilenamemessage does not exist (or can not be read) at
> >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."
> >>
> >> The file should be
> >> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"
> >>
> >> Your error message says /usr/share/MailScanner/reports/en/stored.fi
> >> [1]
> >>
> >> What is the output of command:
> >>
> >> grep 'stored.fi [1]'
> >> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
> >> and
> >> ls -l
> >> /usr/share/MailScanner/reports/en/stored.filename.message.txt
> >>
> >> James
> >>
> >> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:
> >>> After I upgraded to the latest version, i get no mail; MailScanner
> >>> Crashes continuously
> >>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL
> >>>> PROCESSOR VERSION 5.1.3 STARTING...
> >>>>
> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading
> >> configuration
> >>>> file /etc/MailScanner/MailScanner.conf
> >>>>
> >>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading
> >> configuration
> >>>> file /etc/MailScanner/conf.d/README
> >>>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE
> >>>> THEM.
> >>>>
> >>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422,
> >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
> >> FOR
> >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames
> >>>> from the phishing whitelist
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames
> >>>> from the phishing blacklists
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin
> >>>> results cache
> >>>>
> >>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to
> >>>> SpamAssassin cache database
> >>>>
> >>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling
> >> SpamAssassin
> >>>> auto-whitelist functionality...
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus
> >>>> scanners: clamav
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to
> >> Processing
> >>>> Attempts Database
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in
> >> the
> >>>> Processing Attempts Database
> >>>>
> >>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype =
> >> flock
> >>>>
> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL
> >>>> PROCESSOR VERSION 5.1.3 STARTING...
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading
> >> configuration
> >>>> file /etc/MailScanner/MailScanner.conf
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading
> >> configuration
> >>>> file /etc/MailScanner/conf.d/README
> >>>>
> >>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file
> >>>> them.
> >>>>
> >>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422,
> >>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
> >> FOR
> >>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
> >>>
> >>> This goes on while there's a message to be processed in the db,
> >> until
> >>> it detects too many crashes and quarantines the message.
> >>>
> >>> when a new message comes in, it starts all over again.
> >>>
> >>> MAILSCANNER LINT OUTPUT
> >>>
> >>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi
> >> [1] [2]
> >>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
> >>>>
> >>>> Error in line 1422, file
> >>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
> >>>> storedfilenamemessage does not exist (or can not be read) at
> >>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.
> >>>
> >>> On Fri, Apr 5, 2019 at 8:31 PM yuwang <yuwang at cs.fsu.edu> wrote:
> >>>
> >>>> My guess is clamav update issue. What happens when you
> >> 'Mailscanner
> >>>> Lint'? use strace to attach to clam process, use lsof to see open
> >>>> files,
> >>>> and turn on debug mode on clam might help too.
> >>>>
> >>>> James
> >>>>
> >>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:
> >>>>> Hi,
> >>>>>
> >>>>> In the past couple of days my email is all coming in with the
> >>>> subject
> >>>>> line tagged as {VIRUS}. This is true for all mail, but of course
> >>>>> there's no virus involved.
> >>>>>
> >>>>> Mailscanner v5.0.7
> >>>>> ClamAV v0.100.0
> >>>>>
> >>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019
> >>>>>>
> >>>>>> WARNING: Your ClamAV installation is OUTDATED!
> >>>>>>
> >>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2
> >>>>>>
> >>>>>> DON'T PANIC! Read
> >>>> https://www.clamav.net/documents/upgrading-clamav
> >>>>>>
> >>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level:
> >> 60,
> >>>>>> builder: sigmgr)
> >>>>>>
> >>>>>> daily.cld is up to date (version: 25410, sigs: 1552552,
> >> f-level:
> >>>> 63,
> >>>>>> builder: raynman)
> >>>>>>
> >>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level:
> >> 63,
> >>>>>> builder: neo)
> >>>>>
> >>>>> A review of /var/log/maillog suggests that there's a problem
> >> with
> >>>>> ClamAV
> >>>>>
> >>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content
> >>>>>> Scanning: Starting
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV
> >> TIMED
> >>>> OUT
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO
> >>>>>> COMPLETE, TIMED OUT
> >>>>>>
> >>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING:
> >> DENIAL
> >>>> OF
> >>>>>> SERVICE ATTACK DETECTED!
> >>>>>
> >>>>> I've tried to observe what is happening on the system, while
> >> mail
> >>>> is
> >>>>> being scanned and what i can surmise is that clamscan is
> >>>> timing-out
> >>>>> (uses 100% CPU)
> >>>>>
> >>>>> any pointers would be greatly appreciated. I have not been able
> >> to
> >>>>> find anything online.
> >>>>>
> >>>>> I'll try upgrading to the latest and greatest MailScanner in the
> >>>> mean
> >>>>> time.
> >>>>>
> >>>>> thanks
> >>>>> Salighie
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] http://stored.fi
> >>> [2] http://stored.fi/
> >
> >
> > Links:
> > ------
> > [1] http://stored.fi
> > [2] http://STORED.FI
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190410/fc381e5f/attachment-0001.html>
More information about the MailScanner
mailing list