<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail-gE gmail-iv gmail-gt" style="padding:20px 0px 0px;font-size:9.6px;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif"><span style="font-family:Arial,Helvetica,sans-serif;font-size:small">it would appear that increasing </span></div><div class="gmail-"><div id="gmail-:4w7" class="gmail-ii gmail-gt gmail-adO" style="direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-:41i" class="gmail-a3s gmail-aXjCH" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:1.5"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:Arial,Helvetica,sans-serif"><font size="4" face="monospace, monospace" style="font-size:small"><b><font color="#ff0000">Virus Scanner Timeout = 600</font></b> </font><font face="monospace, monospace" style="">(up from 300)</font><br></div><div style="font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-family:Arial,Helvetica,sans-serif">in <span class="gmail-il">MailScanner</span>.conf, fixed it for me... at least for now.</div><div style="font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-family:Arial,Helvetica,sans-serif">Now, mail is being virus-scanned and delivered successfully without any misleading subject tags; Albeit at a seemingly slow rate (here's an excerpt from the maillog showing the processing times of two email messages)<br></div><div style="font-family:Arial,Helvetica,sans-serif"><br></div><span style="font-family:monospace,monospace">Apr 8 14:45:12 MyHost MailScanner[</span><font color="#00ff00" style="font-family:monospace,monospace">185871</font><span style="font-family:monospace,monospace">]: Virus and Content Scanning: Starting</span><font face="monospace, monospace"><br></font></div><div dir="ltr"><font face="monospace, monospace">Apr 8 14:47:44 MyHost MailScanner[<font color="#00ff00">185871</font>]: Virus Scanning completed at 911 bytes per second<br></font><span style="font-family:monospace,monospace">Apr 8 14:51:41 MyHost MailScanner[</span><font color="#00ff00" style="font-family:monospace,monospace">185871</font><span style="font-family:monospace,monospace">]: Virus Processing completed at 299259 bytes per second</span> </div><div dir="ltr"><br></div><div dir="ltr"><font face="monospace, monospace">Apr 8 14:46:35</font><span style="font-family:monospace,monospace"> </span><span style="font-family:monospace,monospace">MyHost</span><span style="font-family:monospace,monospace"> </span><span style="font-family:monospace,monospace">MailScanner[</span><span style="color:rgb(255,0,255);font-family:monospace,monospace">182275</span><span style="font-family:monospace,monospace">]: Virus and Content Scanning: Starting</span></div><div dir="ltr"><span style="font-family:monospace,monospace">Apr 8 14:49:05 MyHost MailScanner[</span><font color="#ff00ff" style="font-family:monospace,monospace">182275</font><span style="font-family:monospace,monospace">]: Virus Scanning completed at 322 bytes per second</span><br></div><div dir="ltr"><font face="monospace, monospace">Apr 8 14:49:10 MyHost MailScanner[<font color="#ff00ff">182275</font>]: Virus Processing completed at 131233 bytes per second<br><br></font><div style="font-size:small;font-family:Arial,Helvetica,sans-serif"><br></div><font face="arial, helvetica, sans-serif">process [<span style="color:rgb(0,255,0)">185871</span>] took a little over 6 minutes to complete at a rate of 299259 bytes/sec<br>process [<span style="color:rgb(255,0,255)">182275</span>] took a little over 3 minutes to complete </font><span style="font-family:arial,helvetica,sans-serif">at a rate of </span><font face="arial, helvetica, sans-serif">131233 bytes/sec</font><div style=""><div style="font-family:Arial,Helvetica,sans-serif;font-size:small"><br></div><div style="font-family:Arial,Helvetica,sans-serif;font-size:small">If we take process 185871 scanning at 299kbtes/sec taking a little over 6 minutes to complete - one might think at that rate, that a message of 100MB+ was scanned - but it's no where near that.</div><div style="font-family:Arial,Helvetica,sans-serif;font-size:small"><br></div></div><div style="font-family:Arial,Helvetica,sans-serif">maybe it's I/O related... but i'm using a 256MB RAMDISK as the v-scanner's temp directory, here is the line from my fstab</div><div><font face="monospace, monospace"><b>tmpfs /var/spool/<span class="gmail-il">MailScanner</span>/incoming tmpfs rw,size=256M 0 0</b></font><br></div><div style="font-family:Arial,Helvetica,sans-serif"><br></div><div style="font-family:Arial,Helvetica,sans-serif">other thoughts</div><div style="font-family:Arial,Helvetica,sans-serif"><div>I don't get why the timeout has to be so high, is clamav wrapper method really that slow - is it a startup problem that would go away if i install and integrate with the clamd.socket (I know members have said this is preferable, just want to understand all aspects and why) or is there something else going awry?</div><div><br></div><div>Or </div><div><br></div><div>Why is a virus scan timeout automatically treated as a virus / denial of service attack - it seems to me that it should be configurable with something like this </div><div>Virus Scanner Timeout Action = [detect|deliver|drop|etc]</div></div></div></div></div></div></div></div></div><div dir="ltr"><br></div><div>thanks all for the support.</div><div><br></div><div>Best regards</div><div>Sebastiano</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Apr 6, 2019 at 9:49 AM yuwang <<a href="mailto:yuwang@cs.fsu.edu">yuwang@cs.fsu.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">"Could not read file /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [2]<br>
>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.<br>
>> <br>
>> Error in line 1422, file<br>
>> "/usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [2] them." for<br>
>> storedfilenamemessage does not exist (or can not be read) at<br>
>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."<br>
<br>
The file should be <br>
"/usr/share/MailScanner/reports/en/stored.filename.message.txt"<br>
<br>
Your error message says /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a><br>
<br>
What is the output of command:<br>
<br>
grep '<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a>' /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl<br>
and<br>
ls -l /usr/share/MailScanner/reports/en/stored.filename.message.txt<br>
<br>
James<br>
<br>
<br>
On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:<br>
> After I upgraded to the latest version, i get no mail; MailScanner<br>
> Crashes continuously<br>
> <br>
>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL<br>
>> PROCESSOR VERSION 5.1.3 STARTING...<br>
>> <br>
>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration<br>
>> file /etc/MailScanner/MailScanner.conf<br>
>> <br>
>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading configuration<br>
>> file /etc/MailScanner/conf.d/README<br>
>> <br>
>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE<br>
>> THEM.<br>
>> <br>
>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422,<br>
>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/<a href="http://STORED.FI" rel="noreferrer" target="_blank">STORED.FI</a> [1] THEM." FOR<br>
>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)<br>
>> <br>
>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames<br>
>> from the phishing whitelist<br>
>> <br>
>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames<br>
>> from the phishing blacklists<br>
>> <br>
>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin<br>
>> results cache<br>
>> <br>
>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to<br>
>> SpamAssassin cache database<br>
>> <br>
>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling SpamAssassin<br>
>> auto-whitelist functionality...<br>
>> <br>
>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus<br>
>> scanners: clamav<br>
>> <br>
>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to Processing<br>
>> Attempts Database<br>
>> <br>
>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in the<br>
>> Processing Attempts Database<br>
>> <br>
>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype = flock<br>
>> <br>
>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL<br>
>> PROCESSOR VERSION 5.1.3 STARTING...<br>
>> <br>
>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration<br>
>> file /etc/MailScanner/MailScanner.conf<br>
>> <br>
>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading configuration<br>
>> file /etc/MailScanner/conf.d/README<br>
>> <br>
>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file<br>
>> them.<br>
>> <br>
>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422,<br>
>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/<a href="http://STORED.FI" rel="noreferrer" target="_blank">STORED.FI</a> [1] THEM." FOR<br>
>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)<br>
> <br>
> This goes on while there's a message to be processed in the db, until<br>
> it detects too many crashes and quarantines the message.<br>
> <br>
> when a new message comes in, it starts all over again.<br>
> <br>
> MAILSCANNER LINT OUTPUT<br>
> <br>
>> Could not read file /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [2]<br>
>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.<br>
>> <br>
>> Error in line 1422, file<br>
>> "/usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [2] them." for<br>
>> storedfilenamemessage does not exist (or can not be read) at<br>
>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.<br>
> <br>
> On Fri, Apr 5, 2019 at 8:31 PM yuwang <<a href="mailto:yuwang@cs.fsu.edu" target="_blank">yuwang@cs.fsu.edu</a>> wrote:<br>
> <br>
>> My guess is clamav update issue. What happens when you 'Mailscanner<br>
>> Lint'? use strace to attach to clam process, use lsof to see open<br>
>> files,<br>
>> and turn on debug mode on clam might help too.<br>
>> <br>
>> James<br>
>> <br>
>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:<br>
>>> Hi,<br>
>>> <br>
>>> In the past couple of days my email is all coming in with the<br>
>> subject<br>
>>> line tagged as {VIRUS}. This is true for all mail, but of course<br>
>>> there's no virus involved.<br>
>>> <br>
>>> Mailscanner v5.0.7<br>
>>> ClamAV v0.100.0<br>
>>> <br>
>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019<br>
>>>> <br>
>>>> WARNING: Your ClamAV installation is OUTDATED!<br>
>>>> <br>
>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2<br>
>>>> <br>
>>>> DON'T PANIC! Read<br>
>> <a href="https://www.clamav.net/documents/upgrading-clamav" rel="noreferrer" target="_blank">https://www.clamav.net/documents/upgrading-clamav</a><br>
>>>> <br>
>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60,<br>
>>>> builder: sigmgr)<br>
>>>> <br>
>>>> daily.cld is up to date (version: 25410, sigs: 1552552, f-level:<br>
>> 63,<br>
>>>> builder: raynman)<br>
>>>> <br>
>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63,<br>
>>>> builder: neo)<br>
>>> <br>
>>> A review of /var/log/maillog suggests that there's a problem with<br>
>>> ClamAV<br>
>>> <br>
>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content<br>
>>>> Scanning: Starting<br>
>>>> <br>
>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV TIMED<br>
>> OUT<br>
>>>> <br>
>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO<br>
>>>> COMPLETE, TIMED OUT<br>
>>>> <br>
>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING: DENIAL<br>
>> OF<br>
>>>> SERVICE ATTACK DETECTED!<br>
>>> <br>
>>> I've tried to observe what is happening on the system, while mail<br>
>> is<br>
>>> being scanned and what i can surmise is that clamscan is<br>
>> timing-out<br>
>>> (uses 100% CPU)<br>
>>> <br>
>>> any pointers would be greatly appreciated. I have not been able to<br>
>>> find anything online.<br>
>>> <br>
>>> I'll try upgrading to the latest and greatest MailScanner in the<br>
>> mean<br>
>>> time.<br>
>>> <br>
>>> thanks<br>
>>> Salighie<br>
> <br>
> <br>
> Links:<br>
> ------<br>
> [1] <a href="http://stored.fi" rel="noreferrer" target="_blank">http://stored.fi</a><br>
> [2] <a href="http://stored.fi/" rel="noreferrer" target="_blank">http://stored.fi/</a><br>
</blockquote></div></div></div>