Hello list, The Problem was that I disabled ArchiveMaxCompressionRatio. I changed it to ArchiveMaxCompressionRatio = 250. And the mailbomb will be detected.
Bye Stefan Stefan Jakobs: > Hello list, > > I'm running a server with postfix 2.4.3, amavis 2.5.2 and clamav 0.91.1. > Yesterday I send the testmessage sample-42-mail-bomb.txt from the > amavisd-new package through my mailsystem and got the following: > > Aug 6 14:24:19 server amavis[22492]: (22492-03) > LMTP::10024 /var/amavis/tmp/amavis-20070806T121754-22492: > <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> > SIZE=58837 Received: from server.rus.uni-stuttgart.de ([127.0.0.1]) by > localhost (server.rus.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port > 10024) with LMTP for <[EMAIL PROTECTED]>; > Mon, 6 Aug 2007 14:24:19 +0200 (CEST)Aug 6 14:24:19 server amavis[22492]: > (22492-03) Checking: fzp62XeV6x7t <[EMAIL PROTECTED]> -> > <[EMAIL PROTECTED]> > Aug 6 14:26:59 server amavis[22492]: (22492-03) ClamAV-clamd: timed out, > retrying (1) > Aug 6 14:27:31 server amavis[22492]: (22492-03) (!)ClamAV-clamd: timed > out, retrying (2) > Aug 6 14:27:47 server amavis[22492]: (22492-03) (!)run_av (ClamAV-clamd, > built-in i/f): Exceeded allowed time at (eval 55) line 309, <GEN15> line > 352. Aug 6 14:27:47 server amavis[22492]: (22492-03) (!!)ClamAV-clamd > av-scanner FAILED: CODE(0x6243e0) Exceeded allowed time at (eval 55) line > 309, <GEN15> line 352. at (eval 55) line 511, <GEN15> line 352. > Aug 6 14:27:53 server amavis[22492]: (22492-03) TIMING [total 214528 ms] - > SMTP greeting: 2 (0%)0, SMTP LHLO: 1 (0%)0, SMTP pre-MAIL: 0 (0%)0, SMTP > pre-DATA-flush: 2 (0%)0, SMTP DATA: 42 (0%)0, check_init: 1 (0%)0, > digest_hdr: 0 (0%)0, digest_body: 1 (0%)0, gen_mail_id: 1 (0%)0, > check_header: 1 (0%)0, AV-scan-1: 208012 (97%)97, AV-scan-2: 6 (0%)97, > spam-wb-list: 1 (0%)97, SA parse: 5 (0%)97, SA check: 6350 (3%)100, > update_cache: 5 (0%)100, decide_mail_destiny: 1 (0%)100, fwd-connect: 12 > (0%) 100, fwd-mail-pip: 12 (0%)100, fwd-rcpt-pip: 0 (0%)100, > fwd-data-chkpnt: 0 (0%)100, write-header: 1 (0%)100, fwd-data-contents: 1 > (0%)100, > fwd-end-chkpnt: 64 (0%)100, prepare-dsn: 1 (0%)100, main_log_entry: 7 (0%) > 100, update_snmp: 1 (0%)100, SMTP pre-response: 0 (0%)100, SMTP response: 0 > (0%)100, unlink-1-files: 0 (0%)100, rundown: 0 (0%)100 > Aug 6 14:27:53 server amavis[22492]: (22492-03) Requesting process rundown > after 10 tasks (and 3 sessions) > > After that clamd used 99% of the CPU time. After 15 Minutes I restarted > clamd and it worked fine again. Then I did a > # clamscan sample-42-mail-bomb.txt and got: > sample-42-mail-bomb.txt: Oversized.Zip FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 143072 > Engine version: 0.91.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Time: 0.945 sec (0 m 0 s) > > And no clamd which were running amok. > > Is this an error in amavis, an error in clamav or a broken installation? > Has anybody an idea? > > Greetings Stefan ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
