Mailwatch problem - "bad" mail in quarantine

Bugs in eFa 4
Post Reply
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

Hi,
esterday I received an email with two passwordprotected zips. Mailwatch has been down since then. Logs:
[Thu Jun 04 14:49:37.817294 2020] [proxy_fcgi:error] [pid 21699:tid 139738656773888] [client 10.70.147.240:62127] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/status.php

Now the mailwatch is working again, however, when I look for that email in quarantine, the pages are not displayed at all and the processor has a load of about 30%.
[Fri Jun 05 06:23:54.947152 2020] [proxy_fcgi:error] [pid 1075:tid 140328619157248] [client 10.70.147.240:51217] AH01067: Failed to read FastCGI header, referer: https://efa4.grh.izscr.cz/mailscanner/q ... 4&pageID=8


mail in quarantine:
[root@efa4 49d5DG1l61z1xPR]# ls -all ./
total 23864
drwxrwx---. 2 postfix mtagroup 4096 Jun 4 14:48 .
drwxrwx---. 177 postfix mtagroup 12288 Jun 4 21:31 ..
-rw-rw----. 1 postfix mtagroup 5404961 Jun 4 14:48 1details.bin
-rw-rw----. 1 postfix mtagroup 13624109 Jun 4 14:48 message
-rw-rw----. 1 postfix mtagroup 5385265 Jun 4 14:48 syslog-TL-312DEC-3240_2020-06-04_13-14-43.zip

I have Efa 4.0.2

Any ideas ?

Thanks
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Mailwatch problem - "bad" mail in quarantine

Post by pdwalker »

some malicious messages can kill the antivirus or mailscanner.

go read the file called "message" using the "less" command line tool. Is it legit, or does it look like spam? If it's spam, delete it and see if that resolves your problem.

[edit] someone may have better advice, so let's see what others have to say
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

Mailscanner, spamassassin, postfix, antivirus are running and the scanned message is sent to the mail server (HCL Domino) Problem is Mailwatch.
The page in quarantine where the message is cannot be displayed. The screen is not drawn in its entirety, and the previous messages and CPU usage are in the log.

I forwarded the message from quarantine via the command line postfix -t <./ var / spool / ... to view it on the destination mail server
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

Is it possible to delete one "bad" mail in quaratine from the console? That would probably solve it.
LA
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Mailwatch problem - "bad" mail in quarantine

Post by pdwalker »

It probably wouldn't hurt.

Or, I could replace the bad message with a good message and then forget about it.
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

next attempt.
I viewed email metadata via message id, In the attachment (report) of the message - saw. I deleted the message. But the result is the same. It's probably in the DB. When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine,

When I'm looking for something, I have to put outside the date of the message arrival in the filter, otherwise the efa will freeze. It's similar when browsing in quarantine.
Attachments
report.zip
(3.9 KiB) Downloaded 163 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Mailwatch problem - "bad" mail in quarantine

Post by pdwalker »

What is in the report.zip and where did this come from? Maybe a partial screenshot of how it is supposed to look like so I know what I am trying to look at.
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

Email metadata. A look at an email from an efa when I jump directly on it
Attachments
metadata.zip
(37.75 KiB) Downloaded 151 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Mailwatch problem - "bad" mail in quarantine

Post by pdwalker »

I have no idea what's happening there. Either the original message had a crapload of password protected zip files, or your sophos was going into some loop trying to process the file.

From what I can see (it's hard to get a clear idea from what can see - a screenshot would have worked better), could it be that the report is too large and it's causing the mailwatch interface or your browser problems?

You can use a database utility to go into the maillog table and delete that record if you wish. That might fix your problem.

Take backups first before messing with the database unless you know exactly what you are doing.
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

Screenshot email.
Screenshot when I filter emails (100 % unzip, php-fpm]
in addition, if the condition is date <> 04.6.2020, then everything is OK
Attachments
efa.zip
(197.93 KiB) Downloaded 152 times
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Mailwatch problem - "bad" mail in quarantine

Post by shawniverson »

Did this scan get caught in a loop, by chance? The long report on that bin file alone should not cause this problem.
arazim1284
Posts: 12
Joined: 09 Mar 2015 12:21

Re: Mailwatch problem - "bad" mail in quarantine

Post by arazim1284 »

I delete "bad" emails in quarantine via EFA. They are not in the quarantine (quarantine-spool, time 14:48). But before that I copied them to /root. When I browse quarantine, I really don't see them there (quarantine-4-6-2020-1448).

However, once I apply the filter (contained and Virus) there is a problem. The load will increase and the messages will be filtered until 4.6.2020, no further. To prevent this, you must put an exclude date or recipient there.
Attachments
quarantine.zip
(142.64 KiB) Downloaded 153 times
Post Reply