sorry, it took a while, I wan't in.<br>Same output bothways<br>[root@localhost ~]# env - /usr/sbin/check_mailscanner<br>MailScanner running with pid 4720 19671 19673<br><br>How can it be terminal related? <br><br>regards<br>
Eliott<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Date: Fri, 22 Jan 2010 14:33:11 +0000<br>
From: Julian Field <br>
That looks like a terminal type problem. What happens if you do<br>
env - /usr/sbin/check_mailscanner<br>
instead of just<br>
/usr/sbin/check_mailscanner<br>
?<br>
<br>
<br>
On 22/01/2010 12:50, Eliott wrote:<br>
> Hi!<br>
><br>
> we are about to migrate an old imlementation while upgrading all the<br>
> components and came across a strange problem.<br>
> With MailScanner 4.78.17 and avg 8.5.288 we see the following log<br>
> entries:<br>
> --------------<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: New Batch: Scanning 1<br>
> messages, 1338 bytes<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: Virus and Content<br>
> Scanning: Starting<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: Avg: Virus identified<br>
> EICAR_Test in eicar.txt<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: Virus Scanning: Avg found<br>
> 1 infections<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: Infected message<br>
> ESC[2Ko0IElNL7004734 came from<br>
> Jan 18 15:47:23 localhost MailScanner[4725]: Virus Scanning: Found 1<br>
> viruses<br>
> Jan 18 15:47:24 localhost MailScanner[4725]: Uninfected: Delivered 1<br>
> messages<br>
> Jan 18 15:47:24 localhost MailScanner[4725]: Deleted 1 messages from<br>
> processing-database<br>
> smtp2225, pri=120812, relay=[10.0.20.10] [10.0.20.10], dsn=2.0.0,<br>
> stat=Sent (Message accepted for delivery)<br>
> ---------------<br>
> I have checked SweepVisuses.pm, but there the output seems to be<br>
> parsed well. Is this a configuration issue or a bug?<br>
><br>
> Thanks and regards<br>
> Eliott<br>
><br>
><br>
><br>
<br>
Jules<br>
<br>
--<br>
Julian Field MEng CITP CEng<br>
<a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
<br>
Need help customising MailScanner?<br>
Contact me!<br>
Need help fixing or optimising your systems?<br>
Contact me!<br>
Need help getting you started solving new requirements from your boss?<br>
Contact me!<br>
<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a> and <a href="http://twitter.com/MailScanner" target="_blank">twitter.com/MailScanner</a><br>
<br>
<br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Fri, 22 Jan 2010 18:17:14 +0200<br>
From: Lyndon Labuschagne <<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>><br>
Subject: MailScanner: Message attempted to kill MailScanner<br>
To: MailScanner discussion <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>><br>
Message-ID: <<a href="mailto:FFDBCBA6-2A7D-422D-AD3A-4693840BFB4F@mexcom.co.za">FFDBCBA6-2A7D-422D-AD3A-4693840BFB4F@mexcom.co.za</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hello All<br>
<br>
I hope you can shed some light on the below issue<br>
<br>
This is a new install of MailScanner 4.79.5<br>
FreeBSD 8.0 amd64<br>
postfix-2.6.5,1<br>
p5-Mail-SpamAssassin-3.2.5_4<br>
clamav-0.95.3<br>
<br>
All the effected mails seem to have attachments, mail sizes vary most are over 200kb but some are only 80kb<br>
most seem to be word docs both .doc and .docx<br>
I have turned off OLE scans to see if that was a part of the problem<br>
<br>
ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)<br>
<br>
Max Spam Check Size = 40k<br>
Max SpamAssassin Size = 40k<br>
Max Custom Spam Scanner Size = 40k<br>
<br>
<br>
<br>
the Server is a Xeon 2Ghz quad core 4 GB RAM<br>
it averages about 95% idle with about 2.5GB free RAM although when clamscan is running it might drop down to about 80% idle<br>
<br>
I can turn on the debug option but its not every mail that has this issue its probably 1 out of every 100 to 150 messages. so it might take some time to trigger the problem<br>
<br>
the below message was 333.6kb<br>
<br>
>From MailWatch interface:<br>
<br>
Subject: removed to protect the innocent<br>
MIME-Version: 1.0<br>
Content-Type: multipart/mixed;<br>
boundary="----_=_NextPart_001_01CA9B73.4F7F8242"<br>
Date: Fri, 22 Jan 2010 16:58:08 +0200<br>
Message-ID: <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local><br>
Content-class: urn:content-classes:message<br>
X-MimeOLE: Produced By Microsoft Exchange V6.5<br>
X-MS-Has-Attach:<br>
X-MS-TNEF-Correlator:<br>
Thread-Topic: removed to protect the innocent<br>
Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=<br>
X-Priority: 1<br>
Priority: Urgent<br>
Importance: high<br>
<br>
>From maillog<br>
<br>
Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF: message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local><br>
Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing message EC4A71761FFF.00000<br>
Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing message EC4A71761FFF.00000<br>
Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing message EC4A71761FFF.00000<br>
Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing message EC4A71761FFF.00000<br>
Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing message EC4A71761FFF.00000<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message EC4A71761FFF.00000 as it has been attempted too many times<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message EC4A71761FFF.00000 as it caused MailScanner to crash several times<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message EC4A71761FFF.00000 to SQL<br>
<br>
Regards,<br>
<br>
Lyndon<br>
<br>
<br>
<br>
--<br>
This message has been scanned for viruses and dangerous content by the<br>
Mexcom MailScanner, and appears to be clean.<br>
Should you wish to secure your mail, call sales @ 011-801-4000, alternatively visit<br>
<a href="http://www.mexcom.co.za" target="_blank">http://www.mexcom.co.za</a> or mail <a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a><br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/d892d3e8/attachment-0001.html" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/d892d3e8/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Fri, 22 Jan 2010 11:17:56 -0500<br>
From: "Garrod M. Alwood" <<a href="mailto:Garrod.Alwood@lorodoes.com">Garrod.Alwood@lorodoes.com</a>><br>
Subject: Re: MailScanner: Message attempted to kill MailScanner<br>
To: MailScanner discussion <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>><br>
Message-ID: <<a href="mailto:7053E9FE-18A9-47D9-B2E5-F3402AE74F99@lorodoes.com">7053E9FE-18A9-47D9-B2E5-F3402AE74F99@lorodoes.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
You need to get an update, I had the same problem<br>
<br>
Garrod Alwood<br>
Open Source Consultant<br>
9047384988<br>
<a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a><mailto:<a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a>><br>
Sent from my iPod<br>
<br>
On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne" <<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a><mailto:<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>>> wrote:<br>
<br>
Hello All<br>
<br>
I hope you can shed some light on the below issue<br>
<br>
This is a new install of MailScanner 4.79.5<br>
FreeBSD 8.0 amd64<br>
postfix-2.6.5,1<br>
p5-Mail-SpamAssassin-3.2.5_4<br>
clamav-0.95.3<br>
<br>
All the effected mails seem to have attachments, mail sizes vary most are over 200kb but some are only 80kb<br>
most seem to be word docs both .doc and .docx<br>
I have turned off OLE scans to see if that was a part of the problem<br>
<br>
ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)<br>
<br>
Max Spam Check Size = 40k<br>
Max SpamAssassin Size = 40k<br>
Max Custom Spam Scanner Size = 40k<br>
<br>
<br>
<br>
the Server is a Xeon 2Ghz quad core 4 GB RAM<br>
it averages about 95% idle with about 2.5GB free RAM although when clamscan is running it might drop down to about 80% idle<br>
<br>
I can turn on the debug option but its not every mail that has this issue its probably 1 out of every 100 to 150 messages. so it might take some time to trigger the problem<br>
<br>
the below message was 333.6kb<br>
<br>
>From MailWatch interface:<br>
<br>
Subject: removed to protect the innocent<br>
MIME-Version: 1.0<br>
Content-Type: multipart/mixed;<br>
boundary="----_=_NextPart_001_01CA9B73.4F7F8242"<br>
Date: Fri, 22 Jan 2010 16:58:08 +0200<br>
Message-ID: <<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
Content-class: urn:content-classes:message<br>
X-MimeOLE: Produced By Microsoft Exchange V6.5<br>
X-MS-Has-Attach:<br>
X-MS-TNEF-Correlator:<br>
Thread-Topic: removed to protect the innocent<br>
Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=<br>
X-Priority: 1<br>
Priority: Urgent<br>
Importance: high<br>
<br>
>From maillog<br>
<br>
Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF: message-id=<<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing message EC4A71761FFF.00000<br>
Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing message EC4A71761FFF.00000<br>
Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing message EC4A71761FFF.00000<br>
Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing message EC4A71761FFF.00000<br>
Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing message EC4A71761FFF.00000<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message EC4A71761FFF.00000 as it has been attempted too many times<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message EC4A71761FFF.00000 as it caused MailScanner to crash several times<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000<br>
Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message EC4A71761FFF.00000 to SQL<br>
<br>
Regards,<br>
<br>
Lyndon<br>
<br>
<br>
<br>
--<br>
This message has been scanned for viruses and dangerous content by the<br>
Mexcom MailScanner, and appears to be clean.<br>
Should you wish to secure your mail, call sales @ 011-801-4000, alternatively visit<br>
<a href="http://www.mexcom.co.za" target="_blank">http://www.mexcom.co.za</a> or mail <a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a><mailto:<a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a>><br>
<ATT00001..txt><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/b9ad1cb4/attachment-0001.html" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/b9ad1cb4/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Fri, 22 Jan 2010 16:50:13 -0000<br>
From: "PD Support" <<a href="mailto:support-lists@petdoctors.co.uk">support-lists@petdoctors.co.uk</a>><br>
Subject: RE: MailScanner: Message attempted to kill MailScanner<br>
To: "'MailScanner discussion'" <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>><br>
Message-ID: <016201ca9b82$f834bce0$e89e36a0$@<a href="http://co.uk" target="_blank">co.uk</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Also check folder permissions and that required folders exist - one recent<br>
install didn't make them all for me (I suspect this was a glitch in the<br>
SpamAssassin install rather than MailScanner).<br>
<br>
<br>
<br>
I also had this a while back on a server where the disk was full, although I<br>
expect this isn't your problem.<br>
<br>
<br>
<br>
NK<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/aa54812a/attachment-0001.html" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/aa54812a/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Fri, 22 Jan 2010 16:51:03 +0000<br>
From: Julian Field <<a href="mailto:MailScanner@ecs.soton.ac.uk">MailScanner@ecs.soton.ac.uk</a>><br>
Subject: Re: MailScanner: Message attempted to kill MailScanner<br>
To: MailScanner discussion <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>><br>
Message-ID:<br>
<EMEW3|a8a247e6c07fa539be9a157e5b9cc27bm0LGp70bMailScanner|<a href="http://ecs.soton.ac.uk" target="_blank">ecs.soton.ac.uk</a>|<a href="mailto:4B59D777.5040600@ecs.soton.ac.uk">4B59D777.5040600@ecs.soton.ac.uk</a>><br>
<br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Yes, just install the latest version available on the website.<br>
<br>
On 22/01/2010 16:17, Garrod M. Alwood wrote:<br>
> You need to get an update, I had the same problem<br>
><br>
> Garrod Alwood<br>
> Open Source Consultant<br>
> 9047384988<br>
> <a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a> <mailto:<a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a>><br>
> Sent from my iPod<br>
><br>
> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne"<br>
> <<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a> <mailto:<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>>> wrote:<br>
><br>
>> Hello All<br>
>><br>
>> I hope you can shed some light on the below issue<br>
>><br>
>> This is a new install of MailScanner 4.79.5<br>
>> FreeBSD 8.0 amd64<br>
>> postfix-2.6.5,1<br>
>> p5-Mail-SpamAssassin-3.2.5_4<br>
>> clamav-0.95.3<br>
>><br>
>> All the effected mails seem to have attachments, mail sizes vary most<br>
>> are over 200kb but some are only 80kb<br>
>> most seem to be word docs both .doc and .docx<br>
>> I have turned off OLE scans to see if that was a part of the problem<br>
>><br>
>> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)<br>
>><br>
>> Max Spam Check Size = 40k<br>
>> Max SpamAssassin Size = 40k<br>
>> Max Custom Spam Scanner Size = 40k<br>
>><br>
>><br>
>><br>
>> the Server is a Xeon 2Ghz quad core 4 GB RAM<br>
>> it averages about 95% idle with about 2.5GB free RAM although when<br>
>> clamscan is running it might drop down to about 80% idle<br>
>><br>
>> I can turn on the debug option but its not every mail that has this<br>
>> issue its probably 1 out of every 100 to 150 messages. so it might<br>
>> take some time to trigger the problem<br>
>><br>
>> the below message was 333.6kb<br>
>><br>
>> From MailWatch interface:<br>
>><br>
>> Subject: /removed to protect the innocent/<br>
>> MIME-Version: 1.0<br>
>> Content-Type: multipart/mixed;<br>
>> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"<br>
>> Date: Fri, 22 Jan 2010 16:58:08 +0200<br>
>> Message-ID:<br>
>> <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<br>
>> <mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>> Content-class: urn:content-classes:message<br>
>> X-MimeOLE: Produced By Microsoft Exchange V6.5<br>
>> X-MS-Has-Attach:<br>
>> X-MS-TNEF-Correlator:<br>
>> Thread-Topic: removed to protect the innocent<br>
>> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=<br>
>> X-Priority: 1<br>
>> Priority: Urgent<br>
>> Importance: high<br>
>><br>
>> From maillog<br>
>><br>
>> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF:<br>
>> message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<br>
>> <mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at<br>
>> processing message EC4A71761FFF.00000<br>
>> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at<br>
>> processing message EC4A71761FFF.00000<br>
>> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at<br>
>> processing message EC4A71761FFF.00000<br>
>> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at<br>
>> processing message EC4A71761FFF.00000<br>
>> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at<br>
>> processing message EC4A71761FFF.00000<br>
>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping<br>
>> message EC4A71761FFF.00000 as it has been attempted too many times<br>
>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message<br>
>> EC4A71761FFF.00000 as it caused MailScanner to crash several times<br>
>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to<br>
>> /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000<br>
>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message<br>
>> EC4A71761FFF.00000 to SQL<br>
>><br>
>> Regards,<br>
>><br>
>> Lyndon<br>
>><br>
>><br>
>><br>
>> --<br>
>> This message has been scanned for viruses and dangerous content by the<br>
>> *Mexcom MailScanner*, and appears to be clean.<br>
>> Should you wish to secure your mail, call sales @ 011-801-4000,<br>
>> alternatively visit<br>
>> <a href="http://www.mexcom.co.za" target="_blank">http://www.mexcom.co.za</a> or mail <a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a><br>
>> <mailto:<a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a>><br>
>> <ATT00001..txt><br>
<br>
Jules<br>
<br>
--<br>
Julian Field MEng CITP CEng<br>
<a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
<br>
Need help customising MailScanner?<br>
Contact me!<br>
Need help fixing or optimising your systems?<br>
Contact me!<br>
Need help getting you started solving new requirements from your boss?<br>
Contact me!<br>
<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a> and <a href="http://twitter.com/MailScanner" target="_blank">twitter.com/MailScanner</a><br>
<br>
<br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 8<br>
Date: Fri, 22 Jan 2010 19:41:38 +0200<br>
From: Lyndon Labuschagne <<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>><br>
Subject: Re: MailScanner: Message attempted to kill MailScanner<br>
To: MailScanner discussion <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>><br>
Message-ID: <<a href="mailto:614069FF-2788-4FDA-9E4D-870A5282B297@mexcom.co.za">614069FF-2788-4FDA-9E4D-870A5282B297@mexcom.co.za</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Ok cool thanks all<br>
<br>
I will try that on monday, if the gods smile on my there might be an updated BSD port :) not that im holding my breath<br>
<br>
<br>
On 22 Jan 2010, at 6:51 PM, Julian Field wrote:<br>
<br>
> Yes, just install the latest version available on the website.<br>
><br>
> On 22/01/2010 16:17, Garrod M. Alwood wrote:<br>
>> You need to get an update, I had the same problem<br>
>><br>
>> Garrod Alwood<br>
>> Open Source Consultant<br>
>> 9047384988<br>
>> <a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a> <mailto:<a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a>><br>
>> Sent from my iPod<br>
>><br>
>> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne" <<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a> <mailto:<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>>> wrote:<br>
>><br>
>>> Hello All<br>
>>><br>
>>> I hope you can shed some light on the below issue<br>
>>><br>
>>> This is a new install of MailScanner 4.79.5<br>
>>> FreeBSD 8.0 amd64<br>
>>> postfix-2.6.5,1<br>
>>> p5-Mail-SpamAssassin-3.2.5_4<br>
>>> clamav-0.95.3<br>
>>><br>
>>> All the effected mails seem to have attachments, mail sizes vary most are over 200kb but some are only 80kb<br>
>>> most seem to be word docs both .doc and .docx<br>
>>> I have turned off OLE scans to see if that was a part of the problem<br>
>>><br>
>>> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)<br>
>>><br>
>>> Max Spam Check Size = 40k<br>
>>> Max SpamAssassin Size = 40k<br>
>>> Max Custom Spam Scanner Size = 40k<br>
>>><br>
>>><br>
>>><br>
>>> the Server is a Xeon 2Ghz quad core 4 GB RAM<br>
>>> it averages about 95% idle with about 2.5GB free RAM although when clamscan is running it might drop down to about 80% idle<br>
>>><br>
>>> I can turn on the debug option but its not every mail that has this issue its probably 1 out of every 100 to 150 messages. so it might take some time to trigger the problem<br>
>>><br>
>>> the below message was 333.6kb<br>
>>><br>
>>> From MailWatch interface:<br>
>>><br>
>>> Subject: /removed to protect the innocent/<br>
>>> MIME-Version: 1.0<br>
>>> Content-Type: multipart/mixed;<br>
>>> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"<br>
>>> Date: Fri, 22 Jan 2010 16:58:08 +0200<br>
>>> Message-ID: <B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local <mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>>> Content-class: urn:content-classes:message<br>
>>> X-MimeOLE: Produced By Microsoft Exchange V6.5<br>
>>> X-MS-Has-Attach:<br>
>>> X-MS-TNEF-Correlator:<br>
>>> Thread-Topic: removed to protect the innocent<br>
>>> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=<br>
>>> X-Priority: 1<br>
>>> Priority: Urgent<br>
>>> Importance: high<br>
>>><br>
>>> From maillog<br>
>>><br>
>>> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF: message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local <mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>>> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing message EC4A71761FFF.00000<br>
>>> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing message EC4A71761FFF.00000<br>
>>> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing message EC4A71761FFF.00000<br>
>>> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing message EC4A71761FFF.00000<br>
>>> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing message EC4A71761FFF.00000<br>
>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message EC4A71761FFF.00000 as it has been attempted too many times<br>
>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message EC4A71761FFF.00000 as it caused MailScanner to crash several times<br>
>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000<br>
>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message EC4A71761FFF.00000 to SQL<br>
>>><br>
>>> Regards,<br>
>>><br>
>>> Lyndon<br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>> This message has been scanned for viruses and dangerous content by the<br>
>>> *Mexcom MailScanner*, and appears to be clean.<br>
>>> Should you wish to secure your mail, call sales @ 011-801-4000, alternatively visit<br>
>>> <a href="http://www.mexcom.co.za" target="_blank">http://www.mexcom.co.za</a> or mail <a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a> <mailto:<a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a>><br>
>>> <ATT00001..txt><br>
><br>
> Jules<br>
><br>
> --<br>
> Julian Field MEng CITP CEng<br>
> <a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
> Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
><br>
> Need help customising MailScanner?<br>
> Contact me!<br>
> Need help fixing or optimising your systems?<br>
> Contact me!<br>
> Need help getting you started solving new requirements from your boss?<br>
> Contact me!<br>
><br>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
> Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a> and <a href="http://twitter.com/MailScanner" target="_blank">twitter.com/MailScanner</a><br>
><br>
><br>
> --<br>
> This message has been scanned for viruses and<br>
> dangerous content by MailScanner, and is<br>
> believed to be clean.<br>
><br>
> --<br>
> MailScanner mailing list<br>
> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
><br>
> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
><br>
> Support MailScanner development - buy the book off the website!<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 9<br>
Date: Fri, 22 Jan 2010 12:58:27 -0500<br>
From: Mike Wallace <<a href="mailto:mike@mlrw.com">mike@mlrw.com</a>><br>
Subject: Infected Messages Not Being Spam Checked<br>
To: <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
Message-ID: <<a href="mailto:2C4D53D7-096E-4BC1-A863-DD80E5A8E91A@mlrw.com">2C4D53D7-096E-4BC1-A863-DD80E5A8E91A@mlrw.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
I am having a problem with Virus infected messages not being spam checked and getting delivered to users.<br>
<br>
My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.<br>
<br>
Here is an example of a message that was not spam checked:<br>
<br>
Return-Path: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
Received: from <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (LHLO <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a>) by<br>
<a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)<br>
Received: from localhost (localhost.localdomain [127.0.0.1])<br>
by <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (Postfix) with ESMTP id 455AC1448859<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)<br>
X-Virus-Scanned: amavisd-new at <a href="http://mlrw.com" target="_blank">mlrw.com</a><br>
Received: from <a href="http://gateway.mlrw.com" target="_blank">gateway.mlrw.com</a><br>
by <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (Postfix) with ESMTP id ECE031448858<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)<br>
Received: from <a href="http://mx1.mailhop.org" target="_blank">mx1.mailhop.org</a> (<a href="http://mxout-144-iad.mailhop.org" target="_blank">mxout-144-iad.mailhop.org</a> [216.146.32.144])<br>
by <a href="http://mlrw.com" target="_blank">mlrw.com</a> (Postfix) with ESMTP id 3E1FA2A00C4<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)<br>
Received: from <a href="http://noblet1.lnk.telstra.net" target="_blank">noblet1.lnk.telstra.net</a> (<a href="http://noblet1.lnk.telstra.net" target="_blank">noblet1.lnk.telstra.net</a> [165.228.74.75])<br>
by <a href="http://mx1.mailhop.org" target="_blank">mx1.mailhop.org</a> (Postfix) with ESMTP id CA691833D0B<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)<br>
Received: from 165.228.74.75 by <a href="http://mailstore1.secureserver.net" target="_blank">mailstore1.secureserver.net</a>; Fri, 22 Jan 2010 08:50:57 +1000<br>
Date: Fri, 22 Jan 2010 08:50:57 +1000<br>
From: "DHL Manager Keven Allen" <<a href="mailto:shipping@dhl.com">shipping@dhl.com</a>><br>
X-Mailer: The Bat! (v3.51.10) Professional<br>
Reply-To: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
X-Priority: 3 (Normal)<br>
Message-ID: <<a href="mailto:256744380.35200801834064@wires.tv">256744380.35200801834064@wires.tv</a>><br>
To: <a href="mailto:user@mlrw.com">user@mlrw.com</a><br>
Subject: {VIRUS?} DHL Delivery Problem Number 81419.<br>
MIME-Version: 1.0<br>
Content-Type: multipart/mixed;<br>
boundary="----------4B369E401538E9"<br>
X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25<br>
X-MLRW-MailScanner-VirusCheck: Message was found to be infected<br>
X-MLRW-MailScanner-SpamCheck:<br>
X-MLRW-MailScanner-From: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
<br>
<br>
------------4B369E401538E9<br>
Content-Type: text/plain; charset=Windows-1252<br>
Content-Transfer-Encoding: 7bit<br>
<br>
Dear customer!<br>
<br>
The courier company was not able to deliver your parcel by your address.<br>
Cause: Error in shipping address.<br>
<br>
You may pickup the parcel at our post office personaly!<br>
<br>
Attention!<br>
The shipping label is attached to this e-mail.<br>
Please print this label to get this package at our post office.<br>
<br>
<br>
Please do not reply to this e-mail, it is an unmonitored mailbox!<br>
<br>
<br>
<br>
Thank you.<br>
DHL Delivery Services.<br>
<br>
<br>
<br>
<br>
------------4B369E401538E9<br>
Content-Type: application/zip; name="DHL_Label_NR06283.zip"<br>
Content-Transfer-Encoding: base64<br>
Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"<br>
<br>
In the logs for clamd I see the following for that attachment: DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND<br>
<br>
If I run spamassassin against a quarantined copy of the message here is it's score:<br>
<br>
Content analysis details: (23.1 points, 5.0 required)<br>
<br>
pts rule name description<br>
---- ---------------------- --------------------------------------------------<br>
0.7 SARE_RECV_IP_FROMIP3 Received line is IP address from IP address<br>
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL<br>
[165.228.74.75 listed in <a href="http://zen.spamhaus.org" target="_blank">zen.spamhaus.org</a>]<br>
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in <a href="http://bl.spamcop.net" target="_blank">bl.spamcop.net</a><br>
[Blocked - see <<a href="http://www.spamcop.net/bl.shtml?165.228.74.75" target="_blank">http://www.spamcop.net/bl.shtml?165.228.74.75</a>>]<br>
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%<br>
[score: 0.6792]<br>
0.5 RAZOR2_CHECK Listed in Razor2 (<a href="http://razor.sf.net/" target="_blank">http://razor.sf.net/</a>)<br>
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level<br>
above 50%<br>
[cf: 100]<br>
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%<br>
[cf: 100]<br>
3.7 PYZOR_CHECK Listed in Pyzor (<a href="http://pyzor.sf.net/" target="_blank">http://pyzor.sf.net/</a>)<br>
2.2 DCC_CHECK Listed in DCC (<a href="http://rhyolite.com/anti-spam/dcc/" target="_blank">http://rhyolite.com/anti-spam/dcc/</a>)<br>
0.0 DIGEST_MULTIPLE Message hits more than one network digest check<br>
4.0 JM_SOUGHT_1 Body contains frequently-spammed text patterns<br>
4.0 JM_SOUGHT_2 Body contains frequently-spammed text patterns<br>
<br>
As you can see it's greater than 10.0 which means it would have been deleted.<br>
<br>
Can anyone help me? I need to get these type of messages spam checked.<br>
<br>
Thanks.<br>
<br>
Mike<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/a5ad4289/attachment-0001.html" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/a5ad4289/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 10<br>
Date: Fri, 22 Jan 2010 21:12:21 +0100<br>
From: Kai Schaetzl <<a href="mailto:maillists@conactive.com">maillists@conactive.com</a>><br>
Subject: Re: Infected Messages Not Being Spam Checked<br>
To: <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
Message-ID: <<a href="mailto:VA.00003996.017f50d8@news.conactive.com">VA.00003996.017f50d8@news.conactive.com</a>><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
Mike Wallace wrote on Fri, 22 Jan 2010 12:58:27 -0500:<br>
<br>
> I am having a problem<br>
<br>
with pressing the correct button in your email program. Please hit "new<br>
message" when you send a new question and not "reply"! Thanks.<br>
<br>
> with Virus infected messages not being spam<br>
> checked and getting delivered to users.<br>
<br>
Virusscan is done before spamcheck. If you get viruses delivered that<br>
means you have either disabled virusscanning or have changed the default<br>
value so that messages with viruses get delivered. Both doesn't make<br>
sense.<br>
<br>
> I need to get these type of messages spam checked.<br>
<br>
No, you have to stop delivering viruses. That, I told you already 10 days<br>
ago. In case that is not what you do, maybe you should have answered<br>
Julian's questions.<br>
<br>
Kai<br>
<br>
--<br>
Get your web at Conactive Internet Services: <a href="http://www.conactive.com" target="_blank">http://www.conactive.com</a><br>
<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 11<br>
Date: Fri, 22 Jan 2010 21:37:54 +0000<br>
From: mog <<a href="mailto:lists@elasticmind.net">lists@elasticmind.net</a>><br>
Subject: Re: MailScanner: Message attempted to kill MailScanner<br>
To: <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
Message-ID: <<a href="mailto:4B5A1AB2.2090204@elasticmind.net">4B5A1AB2.2090204@elasticmind.net</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Mike (the guy who's been looking after the port) has been working on the<br>
problem. I'm sure he will update the port as soon as he has time.<br>
<br>
<br>
On 22/01/2010 17:41, Lyndon Labuschagne wrote:<br>
> Ok cool thanks all<br>
><br>
> I will try that on monday, if the gods smile on my there might be an updated BSD port :) not that im holding my breath<br>
><br>
><br>
> On 22 Jan 2010, at 6:51 PM, Julian Field wrote:<br>
><br>
><br>
>> Yes, just install the latest version available on the website.<br>
>><br>
>> On 22/01/2010 16:17, Garrod M. Alwood wrote:<br>
>><br>
>>> You need to get an update, I had the same problem<br>
>>><br>
>>> Garrod Alwood<br>
>>> Open Source Consultant<br>
>>> 9047384988<br>
>>> <a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a><mailto:<a href="mailto:Garrod.alwood@lorodoes.com">Garrod.alwood@lorodoes.com</a>><br>
>>> Sent from my iPod<br>
>>><br>
>>> On Jan 22, 2010, at 11:14 AM, "Lyndon Labuschagne"<<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a><mailto:<a href="mailto:lyndonl@mexcom.co.za">lyndonl@mexcom.co.za</a>>> wrote:<br>
>>><br>
>>><br>
>>>> Hello All<br>
>>>><br>
>>>> I hope you can shed some light on the below issue<br>
>>>><br>
>>>> This is a new install of MailScanner 4.79.5<br>
>>>> FreeBSD 8.0 amd64<br>
>>>> postfix-2.6.5,1<br>
>>>> p5-Mail-SpamAssassin-3.2.5_4<br>
>>>> clamav-0.95.3<br>
>>>><br>
>>>> All the effected mails seem to have attachments, mail sizes vary most are over 200kb but some are only 80kb<br>
>>>> most seem to be word docs both .doc and .docx<br>
>>>> I have turned off OLE scans to see if that was a part of the problem<br>
>>>><br>
>>>> ClamAVmodule Maximum File Size = 5000000 # (5 Mbytes)<br>
>>>><br>
>>>> Max Spam Check Size = 40k<br>
>>>> Max SpamAssassin Size = 40k<br>
>>>> Max Custom Spam Scanner Size = 40k<br>
>>>><br>
>>>><br>
>>>><br>
>>>> the Server is a Xeon 2Ghz quad core 4 GB RAM<br>
>>>> it averages about 95% idle with about 2.5GB free RAM although when clamscan is running it might drop down to about 80% idle<br>
>>>><br>
>>>> I can turn on the debug option but its not every mail that has this issue its probably 1 out of every 100 to 150 messages. so it might take some time to trigger the problem<br>
>>>><br>
>>>> the below message was 333.6kb<br>
>>>><br>
>>>> From MailWatch interface:<br>
>>>><br>
>>>> Subject: /removed to protect the innocent/<br>
>>>> MIME-Version: 1.0<br>
>>>> Content-Type: multipart/mixed;<br>
>>>> boundary="----_=_NextPart_001_01CA9B73.4F7F8242"<br>
>>>> Date: Fri, 22 Jan 2010 16:58:08 +0200<br>
>>>> Message-ID:<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>>>> Content-class: urn:content-classes:message<br>
>>>> X-MimeOLE: Produced By Microsoft Exchange V6.5<br>
>>>> X-MS-Has-Attach:<br>
>>>> X-MS-TNEF-Correlator:<br>
>>>> Thread-Topic: removed to protect the innocent<br>
>>>> Thread-Index: AcgMB3G2oM864RICTwyR1vhZ6+t5JwAAI2GAPhemM7A=<br>
>>>> X-Priority: 1<br>
>>>> Priority: Urgent<br>
>>>> Importance: high<br>
>>>><br>
>>>> From maillog<br>
>>>><br>
>>>> Jan 22 16:54:42 mailav02 postfix/cleanup[12659]: EC4A71761FFF: message-id=<B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local<mailto:<a href="mailto:B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local">B8ADB5A39790EF41901A5F105DB2CB8DB43CCD@server.Hi-tech.local</a>>><br>
>>>> Jan 22 17:00:26 mailav02 MailScanner[14816]: Making attempt 2 at processing message EC4A71761FFF.00000<br>
>>>> Jan 22 17:05:25 mailav02 MailScanner[14819]: Making attempt 3 at processing message EC4A71761FFF.00000<br>
>>>> Jan 22 17:10:25 mailav02 MailScanner[14900]: Making attempt 4 at processing message EC4A71761FFF.00000<br>
>>>> Jan 22 17:12:47 mailav02 MailScanner[15034]: Making attempt 5 at processing message EC4A71761FFF.00000<br>
>>>> Jan 22 17:18:32 mailav02 MailScanner[14985]: Making attempt 6 at processing message EC4A71761FFF.00000<br>
>>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Warning: skipping message EC4A71761FFF.00000 as it has been attempted too many times<br>
>>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Quarantined message EC4A71761FFF.00000 as it caused MailScanner to crash several times<br>
>>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Saved entire message to /var/spool/MailScanner/quarantine/20100122/EC4A71761FFF.00000<br>
>>>> Jan 22 17:18:33 mailav02 MailScanner[15120]: Logging message EC4A71761FFF.00000 to SQL<br>
>>>><br>
>>>> Regards,<br>
>>>><br>
>>>> Lyndon<br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> This message has been scanned for viruses and dangerous content by the<br>
>>>> *Mexcom MailScanner*, and appears to be clean.<br>
>>>> Should you wish to secure your mail, call sales @ 011-801-4000, alternatively visit<br>
>>>> <a href="http://www.mexcom.co.za" target="_blank">http://www.mexcom.co.za</a> or mail <a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a><mailto:<a href="mailto:sales@mexcom.co.za">sales@mexcom.co.za</a>><br>
>>>> <ATT00001..txt><br>
>>>><br>
>> Jules<br>
>><br>
>> --<br>
>> Julian Field MEng CITP CEng<br>
>> <a href="http://www.MailScanner.info" target="_blank">www.MailScanner.info</a><br>
>> Buy the MailScanner book at <a href="http://www.MailScanner.info/store" target="_blank">www.MailScanner.info/store</a><br>
>><br>
>> Need help customising MailScanner?<br>
>> Contact me!<br>
>> Need help fixing or optimising your systems?<br>
>> Contact me!<br>
>> Need help getting you started solving new requirements from your boss?<br>
>> Contact me!<br>
>><br>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
>> Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a> and <a href="http://twitter.com/MailScanner" target="_blank">twitter.com/MailScanner</a><br>
>><br>
>><br>
>> --<br>
>> This message has been scanned for viruses and<br>
>> dangerous content by MailScanner, and is<br>
>> believed to be clean.<br>
>><br>
>> --<br>
>> MailScanner mailing list<br>
>> <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
>> <a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
>><br>
>> Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br>
>><br>
>> Support MailScanner development - buy the book off the website!<br>
>><br>
><br>
<br>
<br>
------------------------------<br>
<br>
Message: 12<br>
Date: Fri, 22 Jan 2010 16:40:25 -0500<br>
From: Mike Wallace <<a href="mailto:mike@mlrw.com">mike@mlrw.com</a>><br>
Subject: Infected Messages Not Being Spam Checked<br>
To: <a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
Message-ID: <<a href="mailto:64AB5CB5-8BFD-4987-8CF3-A3AC9C89E9C9@mlrw.com">64AB5CB5-8BFD-4987-8CF3-A3AC9C89E9C9@mlrw.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
I am having a problem with Virus infected messages not being spam checked and getting delivered to users.<br>
<br>
My configuration is MS 4.78.17-1 running on CentOS 5.4 with spamassassin 3.2.5-1 from the CentOS distribution, clamav 0.95.3-1and razor-agents 2.84-1 from rpmforge, pyzor 0.5.0 and dcc 1.3.115. I am using the following additional spamassassin rules; Sought, OpenProtect and a couple of custom ones. All messages with a spam score of > 5.0 and <10.0 are redirected to a special mailbox. Anything >10.0 are deleted. This works great as I have a false positive rate of 0.16% and a false negative rate of 0.87% (if I exclude the viruses that passed). None of the false positives are high scoring spam >10.0.<br>
<br>
Here is an example of a message that was not spam checked:<br>
<br>
Return-Path: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
Received: from <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (LHLO <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a>) by<br>
<a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> with LMTP; Thu, 21 Jan 2010 16:51:09 -0500 (EST)<br>
Received: from localhost (localhost.localdomain [127.0.0.1])<br>
by <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (Postfix) with ESMTP id 455AC1448859<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:09 -0500 (EST)<br>
X-Virus-Scanned: amavisd-new at <a href="http://mlrw.com" target="_blank">mlrw.com</a><br>
Received: from <a href="http://gateway.mlrw.com" target="_blank">gateway.mlrw.com</a><br>
by <a href="http://mailserver.mlrw.com" target="_blank">mailserver.mlrw.com</a> (Postfix) with ESMTP id ECE031448858<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)<br>
Received: from <a href="http://mx1.mailhop.org" target="_blank">mx1.mailhop.org</a> (<a href="http://mxout-144-iad.mailhop.org" target="_blank">mxout-144-iad.mailhop.org</a> [216.146.32.144])<br>
by <a href="http://mlrw.com" target="_blank">mlrw.com</a> (Postfix) with ESMTP id 3E1FA2A00C4<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 16:51:08 -0500 (EST)<br>
Received: from <a href="http://noblet1.lnk.telstra.net" target="_blank">noblet1.lnk.telstra.net</a> (<a href="http://noblet1.lnk.telstra.net" target="_blank">noblet1.lnk.telstra.net</a> [165.228.74.75])<br>
by <a href="http://mx1.mailhop.org" target="_blank">mx1.mailhop.org</a> (Postfix) with ESMTP id CA691833D0B<br>
for <<a href="mailto:user@mlrw.com">user@mlrw.com</a>>; Thu, 21 Jan 2010 21:51:02 +0000 (UTC)<br>
Received: from 165.228.74.75 by <a href="http://mailstore1.secureserver.net" target="_blank">mailstore1.secureserver.net</a>; Fri, 22 Jan 2010 08:50:57 +1000<br>
Date: Fri, 22 Jan 2010 08:50:57 +1000<br>
From: "DHL Manager Keven Allen" <<a href="mailto:shipping@dhl.com">shipping@dhl.com</a>><br>
X-Mailer: The Bat! (v3.51.10) Professional<br>
Reply-To: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
X-Priority: 3 (Normal)<br>
Message-ID: <<a href="mailto:256744380.35200801834064@wires.tv">256744380.35200801834064@wires.tv</a>><br>
To: <a href="mailto:user@mlrw.com">user@mlrw.com</a><br>
Subject: {VIRUS?} DHL Delivery Problem Number 81419.<br>
MIME-Version: 1.0<br>
Content-Type: multipart/mixed;<br>
boundary="----------4B369E401538E9"<br>
X-MLRW-MailScanner-ID: 3E1FA2A00C4.AAF25<br>
X-MLRW-MailScanner-VirusCheck: Message was found to be infected<br>
X-MLRW-MailScanner-SpamCheck:<br>
X-MLRW-MailScanner-From: <a href="mailto:improvesx66@wires.tv">improvesx66@wires.tv</a><br>
<br>
<br>
------------4B369E401538E9<br>
Content-Type: text/plain; charset=Windows-1252<br>
Content-Transfer-Encoding: 7bit<br>
<br>
Dear customer!<br>
<br>
The courier company was not able to deliver your parcel by your address.<br>
Cause: Error in shipping address.<br>
<br>
You may pickup the parcel at our post office personaly!<br>
<br>
Attention!<br>
The shipping label is attached to this e-mail.<br>
Please print this label to get this package at our post office.<br>
<br>
<br>
Please do not reply to this e-mail, it is an unmonitored mailbox!<br>
<br>
<br>
<br>
Thank you.<br>
DHL Delivery Services.<br>
<br>
<br>
<br>
<br>
------------4B369E401538E9<br>
Content-Type: application/zip; name="DHL_Label_NR06283.zip"<br>
Content-Transfer-Encoding: base64<br>
Content-Disposition: attachment; filename="DHL_Label_NR06283.zip"<br>
<br>
In the logs for clamd I see the following for that attachment: DHL_Label_NR06283.zip: Suspect.Bredozip-zippwd-2 FOUND<br>
<br>
If I run spamassassin against a quarantined copy of the message here is it's score:<br>
<br>
Content analysis details: (23.1 points, 5.0 required)<br>
<br>
pts rule name description<br>
---- ---------------------- --------------------------------------------------<br>
0.7 SARE_RECV_IP_FROMIP3 Received line is IP address from IP address<br>
3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL<br>
[165.228.74.75 listed in <a href="http://zen.spamhaus.org" target="_blank">zen.spamhaus.org</a>]<br>
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in <a href="http://bl.spamcop.net" target="_blank">bl.spamcop.net</a><br>
[Blocked - see <<a href="http://www.spamcop.net/bl.shtml?165.228.74.75" target="_blank">http://www.spamcop.net/bl.shtml?165.228.74.75</a>>]<br>
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%<br>
[score: 0.6792]<br>
0.5 RAZOR2_CHECK Listed in Razor2 (<a href="http://razor.sf.net/" target="_blank">http://razor.sf.net/</a>)<br>
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level<br>
above 50%<br>
[cf: 100]<br>
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%<br>
[cf: 100]<br>
3.7 PYZOR_CHECK Listed in Pyzor (<a href="http://pyzor.sf.net/" target="_blank">http://pyzor.sf.net/</a>)<br>
2.2 DCC_CHECK Listed in DCC (<a href="http://rhyolite.com/anti-spam/dcc/" target="_blank">http://rhyolite.com/anti-spam/dcc/</a>)<br>
0.0 DIGEST_MULTIPLE Message hits more than one network digest check<br>
4.0 JM_SOUGHT_1 Body contains frequently-spammed text patterns<br>
4.0 JM_SOUGHT_2 Body contains frequently-spammed text patterns<br>
<br>
As you can see it's greater than 10.0 which means it would have been deleted.<br>
<br>
Can anyone help me? I need to get these type of messages spam checked.<br>
<br>
Thanks.<br>
<br>
Mike<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/73cbd03d/attachment.html" target="_blank">http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100122/73cbd03d/attachment.html</a><br>
<br>
------------------------------<br>
<br>
--<br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
Before posting, read the Wiki (<a href="http://wiki.mailscanner.info/" target="_blank">http://wiki.mailscanner.info/</a>).<br>
<br>
Support MailScanner development - buy the book off the website!<br>
<br>
<br>
End of MailScanner Digest, Vol 49, Issue 31<br>
*******************************************<br>
</blockquote></div><br>