<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Lato;
panose-1:2 15 5 2 2 2 4 3 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Lato",sans-serif;
color:#404040;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi everyone,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It’s been a while since I posted to this list. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve had a few problems recently with a very large amount of incoming mail with viruses. We would usually see around 10M – 50M of quarantined items reaching us on a daily basis, but over the last week we have seen a dramatic increase, for example – <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>/var/spool/MailScanner/quarantine # du -h -d0 *<o:p></o:p></p><p class=MsoNormal> 10M 20161120<o:p></o:p></p><p class=MsoNormal>286M 20161121<o:p></o:p></p><p class=MsoNormal>508M 20161122<o:p></o:p></p><p class=MsoNormal>450M 20161123<o:p></o:p></p><p class=MsoNormal>517M 20161124<o:p></o:p></p><p class=MsoNormal> 26M 20161125<o:p></o:p></p><p class=MsoNormal> 61M 20161126<o:p></o:p></p><p class=MsoNormal>7.8M 20161127<o:p></o:p></p><p class=MsoNormal>90M 20161128<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am alerted by our monitoring software of my mailq.in directory reaching over 500 emails. When I look at mailscanner I see the following entries in my maillog – <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:06 btn-mailfilter-v3 MailScanner[32258]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:11 btn-mailfilter-v3 MailScanner[32316]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:16 btn-mailfilter-v3 MailScanner[32368]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:21 btn-mailfilter-v3 MailScanner[32419]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:26 btn-mailfilter-v3 MailScanner[32475]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:36 btn-mailfilter-v3 MailScanner[32577]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:41 btn-mailfilter-v3 MailScanner[32635]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED::Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: Saved entire message to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:46 btn-mailfilter-v3 MailScanner[32678]: writing to /var/spool/MailScanner/quarantine/20161123/uANNO06T008551/message: No such file or directory<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Clamd::INFECTED:: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL :: ./uANNO06T008551/receipt_staton.zip<o:p></o:p></p><p class=MsoNormal>Nov 23 23:59:51 btn-mailfilter-v3 MailScanner[32736]: Infected message uANNO06T008551 came from 186.54.46.177<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This just goes on and on and from what I can tell MailScanner cannot process the email to my quarantine directory. Permissions are fine – since all emails prior to this where quarantined. The fix seems to be me removing the /var/spool/MailScanner/quarantine/20161123 folder altogether and letting mailscanner create it again. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When I remove the directory and restart mailscanner, everything works fine again and the emails get sent to their respective folders that were in my queue. I assume mailscanner tries to read this directory and runs out of memory or something, since it has grown so large? I only ever get this problem when the directory is at a certain size, otherwise I never see any problems with mailscanner. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Does anyone think this is a mailscanner problem, or something else? I’m wondering how to test this, maybe put some very large files in that directory and see how mailscanner copes? Or I could just put all the files in one of the large folders into today’s folder and see what happens, possibly run a –lint with the –D switch? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Rich<o:p></o:p></p></div></body></html>