MailScanner supposedly crashed several times in just a few seconds

Bugs in eFa 4
Post Reply
victorburgos
Posts: 19
Joined: 13 May 2017 20:53

MailScanner supposedly crashed several times in just a few seconds

Post by victorburgos »

Hi,
I have a strange behavior on my server with some messages that get quarantined because MailScanner crashed several times.

This are the logs for one message, as you can see the message was received at 10:24:04 however at 10:24:11, after just a few seconds, I get these 2 logs:
  • Warning: skipping message 4DQ1Wm2zR2z48l5K as it has been attempted too many times
  • Quarantined message 4DQ1Wm2zR2z48l5K as it caused MailScanner to crash several times
First example supposedly crashed MailScanner many times in just 7 seconds:

Code: Select all

[root@filter ]# grep 4DQ1Wm2zR2z48l5K /var/log/maillog
Jan 26 10:24:04 filter postfix/smtpd[3434]: 4DQ1Wm2zR2z48l5K: client=llsk280-a17.servidoresdns.net[82.223.190.11]
Jan 26 10:24:04 filter postfix/cleanup[3730]: 4DQ1Wm2zR2z48l5K: message-id=<b10b19b1-f70c-8fe6-c9a5-59c02bbba803@senderdomain.com>
Jan 26 10:24:04 filter opendkim[2505]: 4DQ1Wm2zR2z48l5K: llsk280-a17.servidoresdns.net [82.223.190.11] not internal
Jan 26 10:24:04 filter opendkim[2505]: 4DQ1Wm2zR2z48l5K: not authenticated
Jan 26 10:24:04 filter opendkim[2505]: 4DQ1Wm2zR2z48l5K: no signature data
Jan 26 10:24:05 filter opendmarc[2497]: 4DQ1Wm2zR2z48l5K: SPF(mailfrom): pedidos@senderdomain.com pass
Jan 26 10:24:05 filter opendmarc[2497]: 4DQ1Wm2zR2z48l5K: senderdomain.com none
Jan 26 10:24:06 filter postfix/cleanup[3730]: 4DQ1Wm2zR2z48l5K: milter-discard: END-OF-MESSAGE from llsk280-a17.servidoresdns.net[82.223.190.11]: milter triggers DISCARD action; from=<pedidos@senderdomain.com> to=<guillermo@targetdomain.com> proto=ESMTP helo=<llsk280-a17.servidoresdns.net>
Jan 26 10:24:06 filter MailScanner[17034]: <A> tag found in message 4DQ1Wm2zR2z48l5K from pedidos@senderdomain.com
Jan 26 10:24:06 filter MailScanner[17034]: HTML Img tag found in message 4DQ1Wm2zR2z48l5K from pedidos@senderdomain.com
Jan 26 10:24:11 filter MailScanner[17034]: Requeue: 4DQ1Wm2zR2z48l5K to 4DQ1Wv0PfXz8l5P
Jan 26 10:24:11 filter MailScanner[18895]: Warning: skipping message 4DQ1Wm2zR2z48l5K as it has been attempted too many times
Jan 26 10:24:11 filter MailScanner[18895]: Quarantined message 4DQ1Wm2zR2z48l5K as it caused MailScanner to crash several times
Jan 26 10:24:11 filter MailScanner[18895]: Saved entire message to /var/spool/MailScanner/quarantine/20210126/4DQ1Wm2zR2z48l5K
Jan 26 10:24:11 filter MailScanner[18895]: MailWatch: Logging message 4DQ1Wm2zR2z48l5K to SQL
Jan 26 10:24:11 filter MailScanner[3872]: MailWatch: 4DQ1Wm2zR2z48l5K: Logged to MailWatch SQL
Jan 26 10:24:11 filter MailScanner[17034]: MailWatch: Logging message 4DQ1Wm2zR2z48l5K to SQL
Jan 26 10:24:11 filter MailScanner[3872]: MailWatch: 4DQ1Wm2zR2z48l5K: Logged to MailWatch SQL
Second example supposedly crashed MailScanner many times in just 6 seconds:

Code: Select all

[root@filter ]# grep 4DQh4p3hrdz5KhlP /var/log/maillog
Jan 27 12:21:30 filter postfix/smtpd[16506]: 4DQh4p3hrdz5KhlP: client=smtp2.senderdomain02.es[193.0.241.32]
Jan 27 12:21:30 filter postfix/cleanup[12443]: 4DQh4p3hrdz5KhlP: message-id=<32458208.1611746479665.JavaMail.ias@SLX00010876.senderdomain02.es>
Jan 27 12:21:30 filter opendkim[2505]: 4DQh4p3hrdz5KhlP: smtp2.senderdomain02.es [193.0.241.32] not internal
Jan 27 12:21:30 filter opendkim[2505]: 4DQh4p3hrdz5KhlP: not authenticated
Jan 27 12:21:30 filter opendkim[2505]: 4DQh4p3hrdz5KhlP: DKIM verification successful
Jan 27 12:21:30 filter opendmarc[2497]: 4DQh4p3hrdz5KhlP: SPF(mailfrom): data@senderdomain02.es pass
Jan 27 12:21:30 filter opendmarc[2497]: 4DQh4p3hrdz5KhlP: senderdomain02.es pass
Jan 27 12:21:31 filter postfix/cleanup[12443]: 4DQh4p3hrdz5KhlP: milter-discard: END-OF-MESSAGE from smtp2.senderdomain02.es[193.0.241.32]: milter triggers DISCARD action; from=<data@senderdomain02.es> to=<almacen@targetdomain02.com> proto=ESMTP helo=<smtp.senderdomain02.es>
Jan 27 12:21:36 filter MailScanner[7241]: Message 4DQh4p3hrdz5KhlP from 193.0.241.32 (data@senderdomain02.es) is whitelisted
Jan 27 12:21:36 filter MailScanner[7241]: Requeue: 4DQh4p3hrdz5KhlP to 4DQh4w2NBzzKhlS
Jan 27 12:21:36 filter MailScanner[4784]: Warning: skipping message 4DQh4p3hrdz5KhlP as it has been attempted too many times
Jan 27 12:21:36 filter MailScanner[4784]: Quarantined message 4DQh4p3hrdz5KhlP as it caused MailScanner to crash several times
Jan 27 12:21:36 filter MailScanner[4784]: Saved entire message to /var/spool/MailScanner/quarantine/20210127/4DQh4p3hrdz5KhlP
Jan 27 12:21:36 filter MailScanner[4784]: MailWatch: Logging message 4DQh4p3hrdz5KhlP to SQL
Jan 27 12:21:36 filter MailScanner[7988]: MailWatch: 4DQh4p3hrdz5KhlP: Logged to MailWatch SQL
Jan 27 12:21:36 filter MailScanner[7241]: MailWatch: Logging message 4DQh4p3hrdz5KhlP to SQL
Jan 27 12:21:36 filter MailScanner[7988]: MailWatch: 4DQh4p3hrdz5KhlP: Logged to MailWatch SQL
The first message contained just 3 attachments, nothing special:
attachments
attachments
2021-01-27_17-14-19.png (7.28 KiB) Viewed 1428 times
Second message was just plain text with a pdf file:
attachments 2
attachments 2
2021-01-27_17-16-51.png (6.61 KiB) Viewed 1428 times
Please note that I clamd unoficial signatures were disabled before to debug this problem.

Code: Select all

/etc/clamav-unofficial-sigs/user.conf
user_configuration_complete="no"
Questions I have about this:
  • How is possible that MailScanner tried to scan many times in such a short amount of time?
  • Since I have the message on my server, how can I manually make MailScanner scan the message again to check if there is something wrong with the message
Thanks for your help.
Top
User avatar
shawniverson
Posts: 3649
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

Re: MailScanner supposedly crashed several times in just a few seconds

Post by shawniverson »

This may be related to the yara rulesets, check out the Announcement here

viewtopic.php?f=8&p=17332#p17332
Top
Post Reply

Return to “4.x Bugs”