Mailwatch problem - "bad" mail in quarantine
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Mailwatch problem - "bad" mail in quarantine
Hi,
esterday I received an email with two passwordprotected zips. Mailwatch has been down since then. Logs:
[Thu Jun 04 14:49:37.817294 2020] [proxy_fcgi:error] [pid 21699:tid 139738656773888] [client 10.70.147.240:62127] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/status.php
Now the mailwatch is working again, however, when I look for that email in quarantine, the pages are not displayed at all and the processor has a load of about 30%.
[Fri Jun 05 06:23:54.947152 2020] [proxy_fcgi:error] [pid 1075:tid 140328619157248] [client 10.70.147.240:51217] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/q ... 4&pageID=8
mail in quarantine:
[root@efa4 49d5DG1l61z1xPR]# ls -all ./
total 23864
drwxrwx---. 2 postfix mtagroup 4096 Jun 4 14:48 .
drwxrwx---. 177 postfix mtagroup 12288 Jun 4 21:31 ..
-rw-rw----. 1 postfix mtagroup 5404961 Jun 4 14:48 1details.bin
-rw-rw----. 1 postfix mtagroup 13624109 Jun 4 14:48 message
-rw-rw----. 1 postfix mtagroup 5385265 Jun 4 14:48 syslog-TL-312DEC-3240_2020-06-04_13-14-43.zip
I have Efa 4.0.2
Any ideas ?
Thanks
esterday I received an email with two passwordprotected zips. Mailwatch has been down since then. Logs:
[Thu Jun 04 14:49:37.817294 2020] [proxy_fcgi:error] [pid 21699:tid 139738656773888] [client 10.70.147.240:62127] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/status.php
Now the mailwatch is working again, however, when I look for that email in quarantine, the pages are not displayed at all and the processor has a load of about 30%.
[Fri Jun 05 06:23:54.947152 2020] [proxy_fcgi:error] [pid 1075:tid 140328619157248] [client 10.70.147.240:51217] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/q ... 4&pageID=8
mail in quarantine:
[root@efa4 49d5DG1l61z1xPR]# ls -all ./
total 23864
drwxrwx---. 2 postfix mtagroup 4096 Jun 4 14:48 .
drwxrwx---. 177 postfix mtagroup 12288 Jun 4 21:31 ..
-rw-rw----. 1 postfix mtagroup 5404961 Jun 4 14:48 1details.bin
-rw-rw----. 1 postfix mtagroup 13624109 Jun 4 14:48 message
-rw-rw----. 1 postfix mtagroup 5385265 Jun 4 14:48 syslog-TL-312DEC-3240_2020-06-04_13-14-43.zip
I have Efa 4.0.2
Any ideas ?
Thanks
Re: Mailwatch problem - "bad" mail in quarantine
some malicious messages can kill the antivirus or mailscanner.
go read the file called "message" using the "less" command line tool. Is it legit, or does it look like spam? If it's spam, delete it and see if that resolves your problem.
[edit] someone may have better advice, so let's see what others have to say
go read the file called "message" using the "less" command line tool. Is it legit, or does it look like spam? If it's spam, delete it and see if that resolves your problem.
[edit] someone may have better advice, so let's see what others have to say
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
Mailscanner, spamassassin, postfix, antivirus are running and the scanned message is sent to the mail server (HCL Domino) Problem is Mailwatch.
The page in quarantine where the message is cannot be displayed. The screen is not drawn in its entirety, and the previous messages and CPU usage are in the log.
I forwarded the message from quarantine via the command line postfix -t <./ var / spool / ... to view it on the destination mail server
The page in quarantine where the message is cannot be displayed. The screen is not drawn in its entirety, and the previous messages and CPU usage are in the log.
I forwarded the message from quarantine via the command line postfix -t <./ var / spool / ... to view it on the destination mail server
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
Is it possible to delete one "bad" mail in quaratine from the console? That would probably solve it.
LA
LA
Re: Mailwatch problem - "bad" mail in quarantine
It probably wouldn't hurt.
Or, I could replace the bad message with a good message and then forget about it.
Or, I could replace the bad message with a good message and then forget about it.
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
next attempt.
I viewed email metadata via message id, In the attachment (report) of the message - saw. I deleted the message. But the result is the same. It's probably in the DB. When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine,
When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine.
I viewed email metadata via message id, In the attachment (report) of the message - saw. I deleted the message. But the result is the same. It's probably in the DB. When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine,
When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine.
- Attachments
-
- report.zip
- (3.9 KiB) Downloaded 164 times
Re: Mailwatch problem - "bad" mail in quarantine
What is in the report.zip and where did this come from? Maybe a partial screenshot of how it is supposed to look like so I know what I am trying to look at.
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
Email metadata. A look at an email from an efa when I jump directly on it
- Attachments
-
- metadata.zip
- (37.75 KiB) Downloaded 151 times
Re: Mailwatch problem - "bad" mail in quarantine
I have no idea what's happening there. Either the original message had a crapload of password protected zip files, or your sophos was going into some loop trying to process the file.
From what I can see (it's hard to get a clear idea from what can see - a screenshot would have worked better), could it be that the report is too large and it's causing the mailwatch interface or your browser problems?
You can use a database utility to go into the maillog table and delete that record if you wish. That might fix your problem.
Take backups first before messing with the database unless you know exactly what you are doing.
From what I can see (it's hard to get a clear idea from what can see - a screenshot would have worked better), could it be that the report is too large and it's causing the mailwatch interface or your browser problems?
You can use a database utility to go into the maillog table and delete that record if you wish. That might fix your problem.
Take backups first before messing with the database unless you know exactly what you are doing.
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
Screenshot email.
Screenshot when I filter emails (100 % unzip, php-fpm]
in addition, if the condition is date <> 04.6.2020, then everything is OK
Screenshot when I filter emails (100 % unzip, php-fpm]
in addition, if the condition is date <> 04.6.2020, then everything is OK
- Attachments
-
- efa.zip
- (197.93 KiB) Downloaded 152 times
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Mailwatch problem - "bad" mail in quarantine
Did this scan get caught in a loop, by chance? The long report on that bin file alone should not cause this problem.
-
- Posts: 12
- Joined: 09 Mar 2015 12:21
Re: Mailwatch problem - "bad" mail in quarantine
I delete "bad" emails in quarantine via EFA. They are not in the quarantine (quarantine-spool, time 14:48). But before that I copied them to /root. When I browse quarantine, I really don't see them there (quarantine-4-6-2020-1448).
However, once I apply the filter (contained and Virus) there is a problem. The load will increase and the messages will be filtered until 4.6.2020, no further. To prevent this, you must put an exclude date or recipient there.
However, once I apply the filter (contained and Virus) there is a problem. The load will increase and the messages will be filtered until 4.6.2020, no further. To prevent this, you must put an exclude date or recipient there.
- Attachments
-
- quarantine.zip
- (142.64 KiB) Downloaded 153 times