<div dir="ltr"><div>BTW: Thanks mark for the suggestion (increasing the timeout to 600 - that was a quick win!) - but long-term, i will try to get clamd working - I'm having some issues getting Clamd to start as a service - it hangs on the way up, crashes, tries to restart... but that's another thread.</div><div><br></div><div>I'll post that to the ClamAv mailing list.</div><div><br></div><div>Thanks again all for the support</div><div><br></div><div>much appreciated.</div><div><br></div><div>#LoveMailScanner</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 8, 2019 at 4:32 PM yuwang <<a href="mailto:yuwang@cs.fsu.edu">yuwang@cs.fsu.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">What's the runtime for 'time Mailscanner --lint'?<br>
<br>
If you can, try Mark's suggestion and use clamd. I first used clamav and <br>
had performance issues, changed to clamd and everything has been fast <br>
since.<br>
<br>
James<br>
<br>
On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote:<br>
> it would appear that increasing<br>
> <br>
> VIRUS SCANNER TIMEOUT = 600 (up from 300)<br>
> <br>
> in MailScanner.conf, fixed it for me... at least for now.<br>
> <br>
> Now, mail is being virus-scanned and delivered successfully without<br>
> any misleading subject tags; Albeit at a seemingly slow rate (here's<br>
> an excerpt from the maillog showing the processing times of two email<br>
> messages)<br>
> <br>
> Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:<br>
> Starting<br>
> <br>
> Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at<br>
> 911 bytes per second<br>
> Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed<br>
> at 299259 bytes per second<br>
> <br>
> Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:<br>
> Starting<br>
> Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at<br>
> 322 bytes per second<br>
> <br>
> Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed<br>
> at 131233 bytes per second<br>
> <br>
> process [185871] took a little over 6 minutes to complete at a rate of<br>
> 299259 bytes/sec<br>
> process [182275] took a little over 3 minutes to complete at a rate of<br>
> 131233 bytes/sec<br>
> <br>
> If we take process 185871 scanning at 299kbtes/sec taking a little<br>
> over 6 minutes to complete - one might think at that rate, that a<br>
> message of 100MB+ was scanned - but it's no where near that.<br>
> <br>
> maybe it's I/O related... but i'm using a 256MB RAMDISK as the<br>
> v-scanner's temp directory, here is the line from my fstab<br>
> TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0<br>
> <br>
> other thoughts<br>
> <br>
> I don't get why the timeout has to be so high, is clamav wrapper<br>
> method really that slow - is it a startup problem that would go away<br>
> if i install and integrate with the clamd.socket (I know members have<br>
> said this is preferable, just want to understand all aspects and why)<br>
> or is there something else going awry?<br>
> <br>
> Or<br>
> <br>
> Why is a virus scan timeout automatically treated as a virus / denial<br>
> of service attack - it seems to me that it should be configurable with<br>
> something like this<br>
> Virus Scanner Timeout Action = [detect|deliver|drop|etc]<br>
> <br>
> thanks all for the support.<br>
> <br>
> Best regards<br>
> Sebastiano<br>
> <br>
> On Sat, Apr 6, 2019 at 9:49 AM yuwang <<a href="mailto:yuwang@cs.fsu.edu" target="_blank">yuwang@cs.fsu.edu</a>> wrote:<br>
> <br>
>> "Could not read file /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [1]<br>
>> [2]<br>
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.<br>
>>>> <br>
>>>> Error in line 1422, file<br>
>>>> "/usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [1] [2] them." for<br>
>>>> storedfilenamemessage does not exist (or can not be read) at<br>
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."<br>
>> <br>
>> The file should be<br>
>> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"<br>
>> <br>
>> Your error message says /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a><br>
>> [1]<br>
>> <br>
>> What is the output of command:<br>
>> <br>
>> grep '<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [1]'<br>
>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl<br>
>> and<br>
>> ls -l<br>
>> /usr/share/MailScanner/reports/en/stored.filename.message.txt<br>
>> <br>
>> James<br>
>> <br>
>> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:<br>
>>> After I upgraded to the latest version, i get no mail; MailScanner<br>
>>> Crashes continuously<br>
>>> <br>
>>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: MAILSCANNER EMAIL<br>
>>>> PROCESSOR VERSION 5.1.3 STARTING...<br>
>>>> <br>
>>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading<br>
>> configuration<br>
>>>> file /etc/MailScanner/MailScanner.conf<br>
>>>> <br>
>>>> Apr 6 04:12:23 MyHost MailScanner[10890]: Reading<br>
>> configuration<br>
>>>> file /etc/MailScanner/conf.d/README<br>
>>>> <br>
>>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: COULD NOT READ FILE<br>
>>>> THEM.<br>
>>>> <br>
>>>> APR 6 04:12:23 MYHOST MAILSCANNER[10890]: ERROR IN LINE 1422,<br>
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/<a href="http://STORED.FI" rel="noreferrer" target="_blank">STORED.FI</a> [2] [1] THEM."<br>
>> FOR<br>
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)<br>
>>>> <br>
>>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 1500 hostnames<br>
>>>> from the phishing whitelist<br>
>>>> <br>
>>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Read 16624 hostnames<br>
>>>> from the phishing blacklists<br>
>>>> <br>
>>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Using SpamAssassin<br>
>>>> results cache<br>
>>>> <br>
>>>> Apr 6 04:12:24 MyHost MailScanner[10890]: Connected to<br>
>>>> SpamAssassin cache database<br>
>>>> <br>
>>>> Apr 6 04:12:25 MyHost MailScanner[10890]: Enabling<br>
>> SpamAssassin<br>
>>>> auto-whitelist functionality...<br>
>>>> <br>
>>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Auto: Found virus<br>
>>>> scanners: clamav<br>
>>>> <br>
>>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Connected to<br>
>> Processing<br>
>>>> Attempts Database<br>
>>>> <br>
>>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Found 1 messages in<br>
>> the<br>
>>>> Processing Attempts Database<br>
>>>> <br>
>>>> Apr 6 04:12:27 MyHost MailScanner[10885]: Using locktype =<br>
>> flock<br>
>>>> <br>
>>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: MAILSCANNER EMAIL<br>
>>>> PROCESSOR VERSION 5.1.3 STARTING...<br>
>>>> <br>
>>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading<br>
>> configuration<br>
>>>> file /etc/MailScanner/MailScanner.conf<br>
>>>> <br>
>>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Reading<br>
>> configuration<br>
>>>> file /etc/MailScanner/conf.d/README<br>
>>>> <br>
>>>> Apr 6 04:12:28 MyHost MailScanner[10920]: Could not read file<br>
>>>> them.<br>
>>>> <br>
>>>> APR 6 04:12:28 MYHOST MAILSCANNER[10920]: ERROR IN LINE 1422,<br>
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/<a href="http://STORED.FI" rel="noreferrer" target="_blank">STORED.FI</a> [2] [1] THEM."<br>
>> FOR<br>
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)<br>
>>> <br>
>>> This goes on while there's a message to be processed in the db,<br>
>> until<br>
>>> it detects too many crashes and quarantines the message.<br>
>>> <br>
>>> when a new message comes in, it starts all over again.<br>
>>> <br>
>>> MAILSCANNER LINT OUTPUT<br>
>>> <br>
>>>> Could not read file /usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a><br>
>> [1] [2]<br>
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.<br>
>>>> <br>
>>>> Error in line 1422, file<br>
>>>> "/usr/share/MailScanner/reports/en/<a href="http://stored.fi" rel="noreferrer" target="_blank">stored.fi</a> [1] [2] them." for<br>
>>>> storedfilenamemessage does not exist (or can not be read) at<br>
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.<br>
>>> <br>
>>> On Fri, Apr 5, 2019 at 8:31 PM yuwang <<a href="mailto:yuwang@cs.fsu.edu" target="_blank">yuwang@cs.fsu.edu</a>> wrote:<br>
>>> <br>
>>>> My guess is clamav update issue. What happens when you<br>
>> 'Mailscanner<br>
>>>> Lint'? use strace to attach to clam process, use lsof to see open<br>
>>>> files,<br>
>>>> and turn on debug mode on clam might help too.<br>
>>>> <br>
>>>> James<br>
>>>> <br>
>>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:<br>
>>>>> Hi,<br>
>>>>> <br>
>>>>> In the past couple of days my email is all coming in with the<br>
>>>> subject<br>
>>>>> line tagged as {VIRUS}. This is true for all mail, but of course<br>
>>>>> there's no virus involved.<br>
>>>>> <br>
>>>>> Mailscanner v5.0.7<br>
>>>>> ClamAV v0.100.0<br>
>>>>> <br>
>>>>>> ClamAV update process started at Fri Apr 5 18:41:07 2019<br>
>>>>>> <br>
>>>>>> WARNING: Your ClamAV installation is OUTDATED!<br>
>>>>>> <br>
>>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2<br>
>>>>>> <br>
>>>>>> DON'T PANIC! Read<br>
>>>> <a href="https://www.clamav.net/documents/upgrading-clamav" rel="noreferrer" target="_blank">https://www.clamav.net/documents/upgrading-clamav</a><br>
>>>>>> <br>
>>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level:<br>
>> 60,<br>
>>>>>> builder: sigmgr)<br>
>>>>>> <br>
>>>>>> daily.cld is up to date (version: 25410, sigs: 1552552,<br>
>> f-level:<br>
>>>> 63,<br>
>>>>>> builder: raynman)<br>
>>>>>> <br>
>>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level:<br>
>> 63,<br>
>>>>>> builder: neo)<br>
>>>>> <br>
>>>>> A review of /var/log/maillog suggests that there's a problem<br>
>> with<br>
>>>>> ClamAV<br>
>>>>> <br>
>>>>>> Apr 5 18:31:22 myhost MailScanner[7448]: Virus and Content<br>
>>>>>> Scanning: Starting<br>
>>>>>> <br>
>>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV<br>
>> TIMED<br>
>>>> OUT<br>
>>>>>> <br>
>>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO<br>
>>>>>> COMPLETE, TIMED OUT<br>
>>>>>> <br>
>>>>>> Apr 5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING:<br>
>> DENIAL<br>
>>>> OF<br>
>>>>>> SERVICE ATTACK DETECTED!<br>
>>>>> <br>
>>>>> I've tried to observe what is happening on the system, while<br>
>> mail<br>
>>>> is<br>
>>>>> being scanned and what i can surmise is that clamscan is<br>
>>>> timing-out<br>
>>>>> (uses 100% CPU)<br>
>>>>> <br>
>>>>> any pointers would be greatly appreciated. I have not been able<br>
>> to<br>
>>>>> find anything online.<br>
>>>>> <br>
>>>>> I'll try upgrading to the latest and greatest MailScanner in the<br>
>>>> mean<br>
>>>>> time.<br>
>>>>> <br>
>>>>> thanks<br>
>>>>> Salighie<br>
>>> <br>
>>> <br>
>>> Links:<br>
>>> ------<br>
>>> [1] <a href="http://stored.fi" rel="noreferrer" target="_blank">http://stored.fi</a><br>
>>> [2] <a href="http://stored.fi/" rel="noreferrer" target="_blank">http://stored.fi/</a><br>
> <br>
> <br>
> Links:<br>
> ------<br>
> [1] <a href="http://stored.fi" rel="noreferrer" target="_blank">http://stored.fi</a><br>
> [2] <a href="http://STORED.FI" rel="noreferrer" target="_blank">http://STORED.FI</a><br>
</blockquote></div>