Discussion:
"Problem Messages" every hour
J Gao
2013-07-03 16:22:29 UTC
Permalink
Hi, All,

I just installed MailScanner v4.84.6 on a new email server (CentOS 6.4 +
Postfix + Courier) last week. Now as MailScanner admin I got lots email
with subject: "Problem Messages" every hour. The content is like this:

Archive:

Number of messages: 1
Tries Message Last Tried
===== ======= ==========
6 C3A94C22C2.A8945 Wed Jul 3 00:18:47 2013

-- MailScanner


On the server I found this mail is in quarantine.


I also received a warning email with subject "Other Bad Content Detected" :
The following e-mails were found to have: Other Bad Content Detected

Sender: ksximr388 at arbetarenzenit.se
IP Address: 24.172.66.66
Recipient: jgao at veecall.com
Subject: The 50 Best Foods for Weight Loss
MessageID: C3A94C22C2.A8945
Quarantine: /var/spool/MailScanner/quarantine/20130703/C3A94C22C2.A8945
Report: MailScanner: Message attempted to kill MailScanner


I googled and found a solution by deleting:
/var/spool/MailScanner/incoming/Processing.db

Yesterday I delete the above file and it has been quite until midnight.
This morning I see there is 9 emails in my Inbox for the same warning
message.

So I see "Message attempted to kill MailScanner". I don't know why it
isn't succeed and keep send me warning repeatedly. Is there something I
can do to let MailScanner take care these "Other Bad Content" and just
send me a warning once?



Here is related maillog:
-----------------------------
Making attempt 6 at processing message C3A94C22C2.A8945
Jul 3 00:16:25 szeta MailScanner[8999]: New Batch: Scanning 1 messages,
14246 bytes
Jul 3 00:16:26 szeta MailScanner[8999]: Virus and Content Scanning:
Starting
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Checks: Starting
Jul 3 00:16:26 szeta MailScanner[8999]: SpamAssassin cache hit for
message C3A94C22C2.A8945
Jul 3 00:16:26 szeta MailScanner[8999]: Message C3A94C22C2.A8945 from
24.172.66.66 (ksximr388 at arbetarenzenit.se) to veecall.com is spam, Sp
amAssassin (cached, score=19.708, required 5, autolearn=spam, DCC_CHECK
1.10, DIGEST_MULTIPLE 0.00, DKIM_ADSP_NXDOMAIN 0.80, FS_WEIGHT_LOSS
1.54, HELO_DYNAMIC_IPADDR 3.24, HK_RANDOM_REPLYTO 0.58,
HTML_FONT_FACE_BAD 0.29, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.10,
NO_DNS_FOR_FROM 0.3
8, RAZOR2_CHECK 1.73, RCVD_IN_BL_SPAMCOP_NET 1.25, RCVD_IN_BRBL_LASTEXT
1.64, RCVD_IN_PSBL 2.70, RCVD_IN_RP_RNBL 1.28, RDNS_DYNAMIC 0.36, UR
IBL_BLOCKED 0.00, URIBL_DBL_SPAM 1.70)
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Checks: Found 1 spam messages
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Actions: message
C3A94C22C2.A8945 actions are store
Jul 3 00:16:29 szeta MailScanner[9169]: Warning: skipping message
C3A94C22C2.A8945 as it has been attempted too many times
Jul 3 00:16:29 szeta MailScanner[9169]: Quarantined message
C3A94C22C2.A8945 as it caused MailScanner to crash several times
Jul 3 00:16:29 szeta MailScanner[9169]: Saved entire message to
/var/spool/MailScanner/quarantine/20130703/C3A94C22C2.A8945
-----------------------------------

Also, I have this setting in my MailScanner.conf:
High Scoring Spam Actions = store

On our old email server I have this exactly same setting but I don't
have any problem.

Thanks for help.

Gao
--
__
_|==|_
('')__/
--(`^^')
(`^'^'`)
`======'
Martin Hepworth
2013-07-04 09:07:08 UTC
Permalink
check you're running MailScanner with the -U flag present

also double check all the file permissions in the working and quarantine
directories and the MailScanner.conf settings relating to these
--
Martin Hepworth, CISSP
Oxford, UK
Post by J Gao
Hi, All,
I just installed MailScanner v4.84.6 on a new email server (CentOS 6.4 +
Postfix + Courier) last week. Now as MailScanner admin I got lots email
Number of messages: 1
Tries Message Last Tried
===== ======= ==========
6 C3A94C22C2.A8945 Wed Jul 3 00:18:47 2013
-- MailScanner
On the server I found this mail is in quarantine.
The following e-mails were found to have: Other Bad Content Detected
Sender: ksximr388 at arbetarenzenit.se
IP Address: 24.172.66.66
Recipient: jgao at veecall.com
Subject: The 50 Best Foods for Weight Loss
MessageID: C3A94C22C2.A8945
Quarantine: /var/spool/MailScanner/quarantine/20130703/C3A94C22C2.A8945
Report: MailScanner: Message attempted to kill MailScanner
/var/spool/MailScanner/incoming/Processing.db
Yesterday I delete the above file and it has been quite until midnight.
This morning I see there is 9 emails in my Inbox for the same warning
message.
So I see "Message attempted to kill MailScanner". I don't know why it
isn't succeed and keep send me warning repeatedly. Is there something I
can do to let MailScanner take care these "Other Bad Content" and just
send me a warning once?
-----------------------------
Making attempt 6 at processing message C3A94C22C2.A8945
Jul 3 00:16:25 szeta MailScanner[8999]: New Batch: Scanning 1 messages,
14246 bytes
Starting
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Checks: Starting
Jul 3 00:16:26 szeta MailScanner[8999]: SpamAssassin cache hit for
message C3A94C22C2.A8945
Jul 3 00:16:26 szeta MailScanner[8999]: Message C3A94C22C2.A8945 from
24.172.66.66 (ksximr388 at arbetarenzenit.se) to veecall.com is spam, Sp
amAssassin (cached, score=19.708, required 5, autolearn=spam, DCC_CHECK
1.10, DIGEST_MULTIPLE 0.00, DKIM_ADSP_NXDOMAIN 0.80, FS_WEIGHT_LOSS
1.54, HELO_DYNAMIC_IPADDR 3.24, HK_RANDOM_REPLYTO 0.58,
HTML_FONT_FACE_BAD 0.29, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.10,
NO_DNS_FOR_FROM 0.3
8, RAZOR2_CHECK 1.73, RCVD_IN_BL_SPAMCOP_NET 1.25, RCVD_IN_BRBL_LASTEXT
1.64, RCVD_IN_PSBL 2.70, RCVD_IN_RP_RNBL 1.28, RDNS_DYNAMIC 0.36, UR
IBL_BLOCKED 0.00, URIBL_DBL_SPAM 1.70)
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Checks: Found 1 spam messages
Jul 3 00:16:26 szeta MailScanner[8999]: Spam Actions: message
C3A94C22C2.A8945 actions are store
Jul 3 00:16:29 szeta MailScanner[9169]: Warning: skipping message
C3A94C22C2.A8945 as it has been attempted too many times
Jul 3 00:16:29 szeta MailScanner[9169]: Quarantined message
C3A94C22C2.A8945 as it caused MailScanner to crash several times
Jul 3 00:16:29 szeta MailScanner[9169]: Saved entire message to
/var/spool/MailScanner/quarantine/20130703/C3A94C22C2.A8945
-----------------------------------
High Scoring Spam Actions = store
On our old email server I have this exactly same setting but I don't
have any problem.
Thanks for help.
Gao
--
__
_|==|_
('')__/
--(`^^')
(`^'^'`)
`======'
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130704/45776afd/attachment.html
J Gao
2013-07-05 23:47:14 UTC
Permalink
Post by Martin Hepworth
check you're running MailScanner with the -U flag present
also double check all the file permissions in the working and quarantine
directories and the MailScanner.conf settings relating to these
--
Martin Hepworth, CISSP
Oxford, UK
Thanks a lot. That "-U" works!.

Gao
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Remco Barendse
2013-10-01 03:51:48 UTC
Permalink
Post by J Gao
Post by Martin Hepworth
check you're running MailScanner with the -U flag present
also double check all the file permissions in the working and quarantine
directories and the MailScanner.conf settings relating to these
--
Martin Hepworth, CISSP
Oxford, UK
Thanks a lot. That "-U" works!.
Gao
Just a question, if adding -U to the the first like of
/usr/sbin/MailScanner helps to solve some issues, why isn't that done
as default ?
Arjan Melein
2013-10-01 10:20:37 UTC
Permalink
Post by Remco Barendse
Just a question, if adding -U to the the first like of
/usr/sbin/MailScanner helps to solve some issues, why isn't that done
as default ?
If you check 'perl -h' you'll see:
-U allow unsafe operations

If I remember correctly some functions got deprecated and changed in the newer Perl versions, the -U is only needed till the actual code that causes the problem is updated.
I think this was a discussion about running MS on an 'enterprise' distro as opposed to a more bleeding edge one too, although I think the latest enterprise distro's will have the problematic Perl version as well. (They already do or they will in the near future).

I'm not 100% sure about the above because it's been a while :-)

-
Arjan

Loading...