On Fri, 5 Sep 2003, Matthew Edward Porter wrote:
> Below are the logs for QS and SA for a test message I sent containing a PDF
> file and some text. I will be posting the same information to the SA list.
> Neither log says anything about pyzor or dcc. The softlimit for qmail-smtpd
> is set to 5000000.
I'm assuming your using the softlimit program from daemontools? Starting
qmail-smtpd with:
/usr/local/bin/softlimit -m 5000000 ...
If so then 5M is ample for stock qmail-smtpd, but for QS which is a perl
script, spamc and your virus scanners this is probably way too low. Try
the suggested 25M instead. See if it works then. If so bring it down step
by step until it stops working and then add a few meg on, to be on the
safe side. All this is in QS README BTW.
Cheers.
>
> Any thoughts?
>
>
> Cheers,
> matthew
>
>
>
> SPAMASSASSIN LOG
> 2003-09-05 16:01:24.630841500 logmsg: connection from localhost [127.0.0.1]
> at port 43656
> 2003-09-05 16:01:24.645354500 logmsg: processing message
> <[EMAIL PROTECTED]> for qscand:351.
> 2003-09-05 16:01:24.649457500 debug: bayes: 29889 tie-ing to DB file R/O
> /opt/spamassassin/.spamassassin/bayes_toks
> 2003-09-05 16:01:24.650583500 debug: bayes: 29889 tie-ing to DB file R/O
> /opt/spamassassin/.spamassassin/bayes_seen
> 2003-09-05 16:01:24.651115500 debug: debug: Only 1 spam(s) in Bayes DB < 200
> 2003-09-05 16:01:24.651174500 debug: bayes: 29889 untie-ing
> 2003-09-05 16:01:24.651203500 debug: bayes: 29889 untie-ing db_toks
> 2003-09-05 16:01:24.651455500 debug: bayes: 29889 untie-ing db_seen
> 2003-09-05 16:01:24.651856500 debug: running header regexp tests; score so
> far=0
> 2003-09-05 16:01:24.663326500 debug: running body-text per-line regexp
> tests; score so far=0
> 2003-09-05 16:01:24.679329500 debug: running raw-body-text per-line regexp
> tests; score so far=0
> 2003-09-05 16:01:24.679949500 debug: running uri tests; score so far=0
> 2003-09-05 16:01:24.680139500 debug: uri tests: Done uriRE
> 2003-09-05 16:01:24.680868500 debug: running full-text regexp tests; score
> so far=0
> 2003-09-05 16:01:24.682803500 debug: all '*From' addrs: [EMAIL PROTECTED]
> 2003-09-05 16:01:24.683607500 debug: all '*To' addrs:
> [EMAIL PROTECTED]
> 2003-09-05 16:01:24.683961500 debug: forged_rcvd_trail: entry 0:
> by=metissian.com from=(undef) mismatches=0
> 2003-09-05 16:01:24.684026500 debug: forged_rcvd_trail: entry 1: by=mac.com
> from=mac.com mismatches=0
> 2003-09-05 16:01:24.686975500 debug: running meta tests; score so far=0
> 2003-09-05 16:01:24.687722500 debug: auto-learn? safety=4, ham=-2, spam=15,
> body-hits=0, head-hits=0
> 2003-09-05 16:01:24.687749500 debug: auto-learn: currently using scoreset 0.
> no need to recompute.
> 2003-09-05 16:01:24.687769500 debug: auto-learn? no: inside auto-learn
> thresholds or safety zone around required_hits
> 2003-09-05 16:01:24.687857500 debug: is spam? score=0 required=5
> tests=USER_AGENT_APPLEMAIL
> 2003-09-05 16:01:24.692358500 logmsg: clean message (0.0/5.0) for qscand:351
> in 0.1 seconds, 137145 bytes.
> 2003-09-05 16:01:24.692653500 debug: bayes: 29889 untie-ing
>
>
> QMAIL-SCANNER LOG
> Fri, 05 Sep 2003 16:01:24 -0500:29880: +++ starting debugging for process
> 29880 by uid=89 at Fri, 05 Sep 2003 16:01:24 -0500
> Fri, 05 Sep 2003 16:01:24 -0500:29880: setting UID to EUID so subprocesses
> can access files generated by this script
> Fri, 05 Sep 2003 16:01:24 -0500:29880: program name is
> qmail-scanner-queue.pl, version 1.20rc3
> Fri, 05 Sep 2003 16:01:24 -0500:29880: incoming SMTP connection from via
> smtp from 17.250.248.89
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: mkdir
> /var/spool/qmailscan/morpheus106279568445629880
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: start dumping incoming msg into
> /var/spool/qmailscan/working/tmp/morpheus106279568445629880
> [1062795684.26177]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: primary Content-Type of
> multipart/mixed found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: found a top-level boundary
> definition of Apple\-Mail\-6\-736610710
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 1: Content-Type of
> text/plain found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: found C-T attachment filename
> clamdoc.pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 2: Content-Type of
> application/pdf found
> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/morpheus106279568445629880 to
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> [1062795684.59236]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: starting
> /usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
> </var/spool/qmailscan/working/new/morpheus106279568445629880
> [1062795684.59263]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: finished
> /usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
> [1062795684.6086]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Checking all attachments to see
> if they're MS-TNEF
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
> /var/spool/qmailscan/morpheus106279568445629880/clamdoc.pdf is a TNEF file?:
> 256 [1062795684.61052]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
> /var/spool/qmailscan/morpheus106279568445629880/1062795684.29882-0.morpheus
> is a TNEF file?: 256 [1062795684.61237]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Manually unpack any zip files as
> some virus scanners don't do zip under Unix!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: unpacking message took 0.02006
> seconds
> Fri, 05 Sep 2003 16:01:24 -0500:29880: unsetting QMAILQUEUE env var
> Fri, 05 Sep 2003 16:01:24 -0500:29880: g_e_h: return-path is
> "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
> Fri, 05 Sep 2003 16:01:24 -0500:29880: from="Matthew E. Porter"
> <[EMAIL PROTECTED]>,subj=pyzor/dcc test 1,
> x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
> via smtp from 17.250.248.89
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: start scanning
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: recursively scan the
> directory /var/spool/qmailscan/morpheus106279568445629880/
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
> scanner=clamuko_scanner,plain_text_msg=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: run /opt/clamav/bin/clamdscan -r
> --disable-summary --max-recursion=10 --max-space=1000000
> /var/spool/qmailscan/morpheus106279568445629880 2>&1
> Fri, 05 Sep 2003 16:01:24 -0500:29880: --output of clamuko was:
> /var/spool/qmailscan/morpheus106279568445629880: OK
> --
> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.010678 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
> scanner=spamassassin,plain_text_msg=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: run /usr/bin/spamc -f <
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: overwriting
> /var/spool/qmailscan/working/new/morpheus106279568445629880 with
> /var/spool/qmailscan/working/new/morpheus106279568445629880.spamc
> Fri, 05 Sep 2003 16:01:24 -0500:29880: spamassassin: finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.085642 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: finished scan of
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: starting scan of directory
> "/var/spool/qmailscan/morpheus106279568445629880"...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '81:ILOVEYOU' = 'Virus-subject'
> = 'Love Letter Virus/Trojan'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> subject: ILOVEYOU
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '82:message/partial.*' =
> 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> content-type: message/partial.*
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '85:.{100,}' = 'Virus-date' =
> 'MIME Header Buffer Overflow'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> date: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '86:.{100,}' =
> 'Virus-mime-version' = 'MIME Header Buffer Overflow '
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> mime-version: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '87:.{100,}' =
> 'Virus-resent-date' = 'MIME Header Buffer Overflow'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> resent-date: .{100,}
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:
> '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
> krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
> to:
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> atka.net|[EMAIL PROTECTED]
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'eicar.com' = '69' = 'EICAR
> Test Virus'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'happy99.exe' = '10000' =
> 'Happy99 Trojan'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'zipped_files.exe' = '120495' =
> 'W32/ExploreZip.worm.pak virus'
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
> perlscanner database...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
> to clamdoc.pdf and has extension .pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
> perlscanner database
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: skipping auto-generated file
> 1062795684.29882-0.morpheus
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
> perlscanner database...
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
> to clamdoc.pdf and has extension .pdf
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
> perlscanner database
> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: finished scan of dir
> "/var/spool/qmailscan/morpheus106279568445629880" in 0.002922 secs
> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: scanning message took
> 0.099788 seconds
> Fri, 05 Sep 2003 16:01:24 -0500:29880: q_r: fork off child into
> /var/qmail/bin/qmail-queue...
> Fri, 05 Sep 2003 16:01:24 -0500:29890: q_r: xstatus=0
> Fri, 05 Sep 2003 16:01:24 -0500:29880: cleanup: /bin/rm -rf
> /var/spool/qmailscan/morpheus106279568445629880/
> /var/spool/qmailscan/working/new/morpheus106279568445629880
> 05/09/2003 16:01:24:29880: all finished. Total of 0.563409 secs
>
> > From: "Steve Fulton" <[EMAIL PROTECTED]>
> > Date: Fri, 5 Sep 2003 14:55:50 -0400 (EDT)
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Qmail-scanner-general]QS + SpamAssassin with DCC & Pyzor
> >
> >> Anybody have any guesses, theories, and/or ideas? Thanks in advance!
> >
> > First I must ask what the logs say? Turn on debugging in Q-S and SA
> > (you'll have to run the daemon in the foreground though, and cut and paste
> > teh content). Fire a few test messages through. Look at what it says for
> > DCC and Pyzor. If you still can't figure it out, ask the Q-S list AND the
> > SA list, since it may be related to one or the other (though I'm betting
> > its a SA issue). One guess may be memory -- what do you have softlimit
> > set to?
> >
> > -- Steve
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Qmail-scanner-general mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
> >
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
--
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 4837 Fax: +44 161 295 5888 www.pgp.com for PGP key
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
