Alert "Problem Messages" is spamming me every hour, > delete Processing.db did not help

Shawn Iverson iversons at rushville.k12.in.us
Tue May 21 13:05:13 UTC 2019 

You may need at this point to halt mail flow at the MTA level, kill
Mailscanner processes (do not gracefully stop it ... ramdisk sync could
save a copy of the processing.db), and clean up the
/var/spool/Mailscanner/incoming directory including deleting the
processing.db in there and any child PID directory trees lingering in there.

Also, before starting Mailscanner again, disable the ramdisk sync in
/etc/Mailscanner/defaults if enabled

Turn ramdisk sync back on if it was on originally and you are sure it is
resolved.

On Tue, May 21, 2019, 8:25 AM <info at schroeffu.ch> wrote:

> Hi Mark, Hi MailScanner Friends,
>
> hadn't time to react earlier sorry, now I just checked it again (it is
> still spamming me every
> hour ^_°).
>
> > You don't need 'strings'. 'MailScanner --processing' will show it to you
> > too.
>
> Thanks, at the moment "MailScanner --processing" is still displaying the
> bad message:
>
> --
> #MailScanner --processing
> Archive:
>
> Number of messages: 1
> Tries Message Last Tried
> ===== ======= ==========
> 6 11A003C0065.AC53F Fri May 10 08:56:07 2019
> --
>
> > It comes from the Processing.db. The question is why is it reappearing
> > there? I think it must be comming from the MTA or maybe a MailScanner
> > queue. What's in /var/spool/MailScanner/nnnn where nnnn is the PID of
> > the running MailScanner, or if you are useing the MailScanner Milter
> > option whats in your milterin and milterout queues?
>
> I am still using the ^HOLD queue mode, no milter in use. The folder
> /var/spool/MailScanner/nnnn does not contain the PID, in my case the PID is
> in /var/run/MailScanner.pid but it only contains the pid number:
>
> /var/run# cat MailScanner.pid
> 211918
>
> > What does 'grep 11A003C0065 /var/log/mail.log' (or wherever your mail
> > logs are) show?
>
> The already rotated log is saying the following lines when searching for
> the Messasge ID
> 11A003C0065:
>
> root at vmlxmail1:/tmp/search-maillog2# grep -R 11A003C0065 *
> May 10 08:29:33 vmlxmail1 postfix/smtpd[148698]: 11A003C0065:
> client=mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245]
> May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065: hold:
> header Received: from
> NAM05-DM3-obe.outbound.protection.outlook.com (
> mail-dm3nam05hn0245.outbound.protection.outlook.com
> [104.47.49.245])??by mail.ourdomain.de (Postfix) with ESMTPS id
> 11A003C0065??for from
> mail-dm3nam05hn0245.outbound.protection.outlook.com[104.47.49.245];
> from=<sadie.smith at live.longwood.edu> to=<recipient at ourdomain.de>
> proto=ESMTP
> helo=<NAM05-DM3-obe.outbound.protection.outlook.com>
> May 10 08:29:33 vmlxmail1 postfix/cleanup[146570]: 11A003C0065:
> message-id=<36868ABC6C2FD54E67E1B8F6945AFB1A8E4318BD at WORLDST0I6DPJ59>
> May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065:
> mail-dm3nam05hn0245.outbound.protection.outlook.com [104.47.49.245] not
> internal
> May 10 08:29:33 vmlxmail1 opendkim[1514]: 11A003C0065: not authenticated
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:29:37 vmlxmail1 MailScanner[149988]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:31:38 vmlxmail1 MailScanner[150510]: Making attempt 2 at
> processing message
> 11A003C0065.AC53F
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:31:41 vmlxmail1 MailScanner[150510]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:35:59 vmlxmail1 MailScanner[150083]: Making attempt 3 at
> processing message
> 11A003C0065.AC53F
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:36:02 vmlxmail1 MailScanner[150083]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:41:26 vmlxmail1 MailScanner[151456]: Making attempt 4 at
> processing message
> 11A003C0065.AC53F
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:41:29 vmlxmail1 MailScanner[151456]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:47:24 vmlxmail1 MailScanner[150241]: Making attempt 5 at
> processing message
> 11A003C0065.AC53F
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:47:27 vmlxmail1 MailScanner[150241]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at
> processing message
> 11A003C0065.AC53F
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message
> 11A003C0065.AC53F as it
> has been attempted too many times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message
> 11A003C0065.AC53F as it caused
> MailScanner to crash several times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
> /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: MailWatch: Logging message
> 11A003C0065.AC53F to SQL
> May 10 08:51:43 vmlxmail1 MailScanner[150628]: MailWatch:
> 11A003C0065.AC53F: Logged to MailWatch
> SQL
>
> And attempt 6 with some more informations (virus scanning, restart
> MailScanner Proc)
>
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Making attempt 6 at
> processing message
> 11A003C0065.AC53F
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: New Batch: Scanning 1
> messages, 7155 bytes
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Virus and Content Scanning:
> Starting
> May 10 08:51:38 vmlxmail1 MailScanner[153430]: Cannot lock
> /var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or
> directory
> May 10 08:51:41 vmlxmail1 MailScanner[153430]:
> Esets::INFECTED::JS/Redirector.NEE trojan
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: message repeated 2 times: [
> Esets::INFECTED::JS/Redirector.NEE trojan]
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: esets found
> 3 infections
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F came from
> 104.47.49.245
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Infected message
> 11A003C0065.AC53F.message » MIME »
> S2BOB3ITMHJ.html came from
> May 10 08:51:41 vmlxmail1 MailScanner[153430]: Virus Scanning: Found 3
> viruses
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailScanner Email Processor
> version 5.1.3
> starting...
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
> /etc/MailScanner/MailScanner.conf
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Reading configuration file
> /etc/MailScanner/conf.d/README
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 1500 hostnames from
> the phishing whitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Read 16624 hostnames from
> the phishing blacklists
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init
> function SQLWhitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Starting up
> MailWatch SQL Whitelist
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Read 32
> whitelist entries
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Config: calling custom init
> function
> MailWatchLogging
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: MailWatch: Started
> MailWatch SQL Logging child
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Using SpamAssassin results
> cache
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Connected to SpamAssassin
> cache database
> May 10 08:51:41 vmlxmail1 MailScanner[154174]: Enabling SpamAssassin
> auto-whitelist
> functionality...
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Warning: skipping message
> 11A003C0065.AC53F as it
> has been attempted too many times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Quarantined message
> 11A003C0065.AC53F as it caused
> MailScanner to crash several times
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: Saved entire message to
> /var/spool/MailScanner/quarantine/20190510/11A003C0065.AC53F
> May 10 08:51:43 vmlxmail1 MailScanner[152425]: New Batch: Scanning 1
> messages, 7155 bytes
>
> So I already deleted the whole folder
> /var/spool/MailScanner/quarantine/20190510/ with its content.
> In MailWatch WebUI I can see the logged message headers, but no
> folder/files 11A003C0065.AC53F/message
> files (because deleted) as expected.
>
> I also mysqldump'ed the MailWatch DB and grep'ed inside whats written
> about 11A003C0065, i think
> there is only the logged headers of this queued messages inside.
>
> The Postfix queue is displaying me with "mailq" command only real queued
> messages, the message ID 11A003C0065 isn't in the postfix queue displayed.
>
> I am still searching in /var/spool/ anywhere where it could be possible
> where its telling
> MailScanner at start, that this Message is in --processing queue. No luck
> until now :-(
>
> Many Regards
> Schroeffu
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190521/670b3151/attachment.html>

More information about the MailScanner mailing list