Several times yesterday clamd stopped. My daemon watching script restarted it immediately, but I could not find a reason for the failures. This was happening on multiple servers so was all the more puzzling. Add to that the fact that one other server never had the problem, but it is a fallback smtp server with no MX record. Anyway, in one of those just before the first cup of coffee moments this morning I decided to run grep "system error" -A1 against the mail log file and damn if a pattern didn't jump right out at me. At nearly every point where clamd quit the message was from a particular user and the relay was one of messagelab's servers. It would have been at every point except that this is a common syslogger for several mail servers and other systems were interleaved.
I blocked the IP of that mail messagelabs relay and clamd quit crashing. Then, because you can't just block messagelabs servers, I explicitly blocked mail from the sender's domain and still there were no further failures. Then I visited the website of the sender and it's a new venue and seems legit, but appears to be sending out mail that will crash clamd. That is bad. When I have time I will unjail it and try to grab a copy of what ever is creating the problem. If anyone's interested the sending domain is my-management.co.uk. They're still blocked and there's been no further failures where before clamd was failing two to three times each hour. I'll work on it again on Monday. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html