Alert "Problem Messages" is spamming me every hour, > delete Processing.db did not help

info at schroeffu.ch info at schroeffu.ch
Tue May 21 12:25:20 UTC 2019


Hi Mark, Hi MailScanner Friends,

hadn't time to react earlier sorry, now I just checked it again (it is still spamming me every
hour ^_°).

> You don't need 'strings'. 'MailScanner --processing' will show it to you
> too.

Thanks, at the moment "MailScanner --processing" is still displaying the bad message:

--
#MailScanner --processing
Archive:

Number of messages: 1
Tries Message Last Tried
===== ======= ==========
6 11A003C0065.AC53F Fri May 10 08:56:07 2019
--

> It comes from the Processing.db. The question is why is it reappearing
> there? I think it must be comming from the MTA or maybe a MailScanner
> queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of
> the running MailScanner, or if you are useing the MailScanner Milter
> option whats in your milterin and milterout queues?

I am still using the ^HOLD queue mode, no milter in use. The folder /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is in /var/run/MailScanner.pid but it only contains the pid number:

/var/run# cat MailScanner.pid
211918

> What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail
> logs are) show?

The already rotated log is saying the following lines when searching for the Messasge ID
11A003C0065:

root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 *
May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065:
client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]
May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold: header Received: from
NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05hn0245.outbound.protection.outlook.com
[104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id 11A003C0065??for from
mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245];
from=<sadie.smith at live.longwood.edu> to=<recipient at ourdomain.de> proto=ESMTP
helo=<NAM05-DM3-obe.outbound.protection.outlook.com>
May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065:
message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59>
May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065:
mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not internal
May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message 11A003C0065.AC53F.message came from
May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at processing message
11A003C0065.AC53F
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message came from
May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at processing message
11A003C0065.AC53F
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message came from
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at processing message
11A003C0065.AC53F
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message came from
May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at processing message
11A003C0065.AC53F
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message came from
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message
11A003C0065.AC53F
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it
has been attempted too many times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused
MailScanner to crash several times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
/var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message 11A003C0065.AC53F to SQL
May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch: 11A003C0065.AC53F: Logged to MailWatch
SQL

And attempt 6 with some more informations (virus scanning, restart MailScanner Proc)

May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at processing message
11A003C0065.AC53F
May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1 messages, 7155 bytes
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning: Starting
May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock
/var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or directory
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Esets::INFECTED::JS/Redirector.NEE trojan
May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [
Esets::INFECTED::JS/Redirector.NEE trojan]
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found 3 infections
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F came from
104.47.49.245
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message 11A003C0065.AC53F.message » MIME »
S2BOB3ITMHJ.html came from
May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3 viruses
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor version 5.1.3
starting...
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
/etc/MailScanner/MailScanner.conf
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
/etc/MailScanner/conf.d/README
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from the phishing whitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from the phishing blacklists
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function SQLWhitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up MailWatch SQL Whitelist
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32 whitelist entries
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init function
MailWatchLogging
May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started MailWatch SQL Logging child
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results cache
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin cache database
May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin auto-whitelist
functionality...
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message 11A003C0065.AC53F as it
has been attempted too many times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message 11A003C0065.AC53F as it caused
MailScanner to crash several times
May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
/var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1 messages, 7155 bytes

So I already deleted the whole folder /var/spool/MailScanner/quarantine/20190510/ with its content.
In MailWatch WebUI I can see the logged message headers, but no folder/files 11A003C0065.AC53F/message
files (because deleted) as expected.

I also mysqldump'ed the MailWatch DB and grep'ed inside whats written about 11A003C0065, i think
there is only the logged headers of this queued messages inside.

The Postfix queue is displaying me with "mailq" command only real queued messages, the message ID 11A003C0065 isn't in the postfix queue displayed.

I am still searching in /var/spool/ anywhere where it could be possible where its telling
MailScanner at start, that this Message is in --processing queue. No luck until now :-(

Many Regards
Schroeffu


More information about the MailScanner mailing list