Package: MailScanner Version: 4.41.3-2 All packages from Sarge.
This problem was discovered while running MailScanner, which calls libmime-perl's Entity.pm, against a Phishing scam mail. MailScanner debug output against nasty message - only message in queue: ... debug: is spam? score=6.165 required=5 debug: tests=FORGED_RCVD_HELO,HOT_NASTY,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_TAG_EXIST_TBODY,MIME_BOUND_MANY_HEX,MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NORMAL_HTTP_TO_IP debug: subtests=__COMMENT_EXISTS,__CT,__CTYPE_HAS_BOUNDARY,__HAS_MSGID,__HAS_SUBJECT,__MIME_HTML,__MIME_QP,__MIME_VERSION,__MSGID_OK_DIGITS,__SANE_MSGID LibClamAV Warning: ******************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: ******************************************************** LibClamAV Warning: ******************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: ******************************************************** Can't call method "print" on an undefined value at /usr/share/perl5/MIME/Entity.pm line 1803. Taking a look at /usr/share/perl5/MIME/Entity.pm: 1799 ### Parts: 1800 my $part; 1801 foreach $part ($self->parts) { 1802 $out->print("--$boundary\n"); 1803 $part->print($out); 1804 $out->print("\n"); ### needed for next delim/close 1805 } 1806 $out->print("--$boundary--\n"); Looks like $part is undefined for this nasty message. A simple hack like "next unless defined $part" is no good, as the processing doesn't finish. Attaching the files that cause the choke, in sendmail qf/df format. The impact of this bug is quite severe. The batch will continuously fail, causing it to be continuously picked up by the next available MailScanner process. On a high volume server, this can cause the queue to back up considerably. Mailscanner is configured to use sendmail. First process queues to /var/spool/mqueue.in, second process delivers from /var/spool/mqueue.out Perl Modules: ii libarchive-zip-perl 1.14-1 ii libcompress-zlib-perl 1.34-1 ii libconvert-binhex-perl 1.119-2 ii libconvert-tnef-perl 0.17-4 ii libdbi-perl 1.46-6 ii libdigest-hmac-perl 1.01-3 ii libdigest-nilsimsa-perl 0.06-2 ii libdigest-sha1-perl 2.10-1 ii libfont-afm-perl 1.19-1 ii libhtml-format-perl 2.04-1 ii libhtml-parser-perl 3.45-2 ii libhtml-tagset-perl 3.04-1 ii libhtml-tree-perl 3.18-1 ii libio-socket-ssl-perl 0.96-1 ii libio-stringy-perl 2.110-1 ii liblocale-gettext-perl 1.01-17 ii libmail-spf-query-perl 1.997-2 ii libmailtools-perl 1.62-1 ii libmime-perl 5.417-1 ii libnet-cidr-lite-perl 0.15-1 ii libnet-cidr-perl 0.10-1 ii libnet-daemon-perl 0.38-1 ii libnet-dns-perl 0.48-1 ii libnet-ident-perl 1.20-2 ii libnet-ssleay-perl 1.25-1.1 ii libpcre3 4.5-1.2sarge1 ii libperl5.8 5.8.4-8 ii libplrpc-perl 0.2017-1 ii libsys-hostname-long-perl 1.2-1 ii libterm-readline-gnu-perl 1.14-2 ii libtext-charwidth-perl 0.04-1 ii libtext-iconv-perl 1.2-3 ii libtext-wrapi18n-perl 0.06-1 ii libtimedate-perl 1.1600-4 ii liburi-perl 1.35-1 ii libwww-perl 5.803-4 ii perl 5.8.4-8 ii perl-base 5.8.4-8 ii perl-modules 5.8.4-8 ii spamassassin 3.0.3-2 logging output to mail.log: ... Oct 13 07:09:42 mailavas2 MailScanner[4212]: Spam Actions: message j9CJ7miR030112 actions are attachment,deliver Oct 13 07:09:44 mailavas2 MailScanner[4212]: /var/spool/MailScanner/incoming/4212/./j9CJ7miR030112/msg-4212-36.html: HTML.Phishing.Bank-60 FOUND Oct 13 07:09:44 mailavas2 MailScanner[4212]: Infected message j9CJ7miR030112 came from 195.137.205.185 Oct 13 07:09:56 mailavas2 MailScanner[7631]: Message j9CJ7miR030112 from 195.137.205.185 ([EMAIL PROTECTED]) to pca.cc is spam, SpamAssassin (score=6.165, required 5, autolearn=disabled, FORGED_RCVD_HELO 0.05, HOT_NASTY 0.59, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_TAG_EXIST_TBODY 0.23, MIME_BOUND_MANY_HEX 2.25, MIME_HTML_ONLY 1.16, MSGID_FROM_MTA_ID 1.70, NORMAL_HTTP_TO_IP 0.08) Oct 13 07:09:57 mailavas2 MailScanner[7631]: Spam Actions: message j9CJ7miR030112 actions are attachment,deliver Oct 13 07:10:00 mailavas2 MailScanner[7631]: /var/spool/MailScanner/incoming/7631/./j9CJ7miR030112/msg-7631-11.html: HTML.Phishing.Bank-60 FOUND Oct 13 07:10:00 mailavas2 MailScanner[7631]: Infected message j9CJ7miR030112 came from 195.137.205.185 Oct 13 07:10:13 mailavas2 MailScanner[7410]: Message j9CJ7miR030112 from 195.137.205.185 ([EMAIL PROTECTED]) to pca.cc is spam, SpamAssassin (score=6.165, required 5, autolearn=disabled, FORGED_RCVD_HELO 0.05, HOT_NASTY 0.59, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_TAG_EXIST_TBODY 0.23, MIME_BOUND_MANY_HEX 2.25, MIME_HTML_ONLY 1.16, MSGID_FROM_MTA_ID 1.70, NORMAL_HTTP_TO_IP 0.08) Oct 13 07:10:14 mailavas2 MailScanner[7410]: Spam Actions: message j9CJ7miR030112 actions are attachment,deliver Oct 13 07:10:17 mailavas2 MailScanner[7410]: /var/spool/MailScanner/incoming/7410/./j9CJ7miR030112/msg-7410-31.html: HTML.Phishing.Bank-60 FOUND Oct 13 07:10:17 mailavas2 MailScanner[7410]: Infected message j9CJ7miR030112 came from 195.137.205.185 Oct 13 07:10:28 mailavas2 MailScanner[5736]: Message j9CJ7miR030112 from 195.137.205.185 ([EMAIL PROTECTED]) to pca.cc is spam, SpamAssassin (score=6.165, required 5, autolearn=disabled, FORGED_RCVD_HELO 0.05, HOT_NASTY 0.59, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_TAG_EXIST_TBODY 0.23, MIME_BOUND_MANY_HEX 2.25, MIME_HTML_ONLY 1.16, MSGID_FROM_MTA_ID 1.70, NORMAL_HTTP_TO_IP 0.08) Oct 13 07:10:29 mailavas2 MailScanner[5736]: Spam Actions: message j9CJ7miR030112 actions are attachment,deliver Oct 13 07:10:31 mailavas2 MailScanner[5736]: /var/spool/MailScanner/incoming/5736/./j9CJ7miR030112/msg-5736-36.html: HTML.Phishing.Bank-60 FOUND Oct 13 07:10:31 mailavas2 MailScanner[5736]: Infected message j9CJ7miR030112 came from 195.137.205.185 Oct 13 07:10:41 mailavas2 MailScanner[8693]: Message j9CJ7miR030112 from 195.137.205.185 ([EMAIL PROTECTED]) to pca.cc is spam, SpamAssassin (score=6.165, required 5, autolearn=disabled, FORGED_RCVD_HELO 0.05, HOT_NASTY 0.59, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_TAG_EXIST_TBODY 0.23, MIME_BOUND_MANY_HEX 2.25, MIME_HTML_ONLY 1.16, MSGID_FROM_MTA_ID 1.70, NORMAL_HTTP_TO_IP 0.08) ... Repeats until message yanked from queue. A bug has been opened against libmime-perl. ________________________________________ Martin Foster | Systems Engineer Pacific Internet (Australia) Pty Ltd P: +61 3 9674 7659 Australia I Singapore I Hong Kong I Philippines I India I Thailand I Malaysia http://www.pacific.net.au/disclaimer/
qfj9CJ7miR030112
Description: qfj9CJ7miR030112
dfj9CJ7miR030112
Description: dfj9CJ7miR030112
