Re: [Clamav-users] ClamAV takes long to scan mails
--- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: checked the logs after sending a mail size 6MB. reading the logs its clear that this is not clamd problem. its something else, whats the w_c:elapsed time in the log below ? i guess its the time waiting in the queue. if yes how can this be fixed ? You don't include the entire log for that particular mail message being processed (and I'm sure the readers of this list appreciate that as this isn't a ClamAV problem). One of those timestamps will be much larger than the others, so that's the one that is the cause of the problem. this is the only details in the log file for this process. it seems that the server is taking long in receiving mails. # cat qmail-queue.log | grep :31100: Tue, 04 Apr 2006 16:35:41 IST:31100: +++ starting debugging for process 31100 by uid=90 Tue, 04 Apr 2006 17:02:25 IST:31100: w_c: elapsed time from start 1604.306495 secs Tue, 04 Apr 2006 17:02:26 IST:31100: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED]' Tue, 04 Apr 2006 17:02:26 IST:31100: from='Sandeep Agarwal [EMAIL PROTECTED]', subj='Fwd: axe effect!!', via SMTP from 206.190.48.98 Tue, 04 Apr 2006 17:03:11 IST:31100: clamdscan: finished scan in 44.9711 secs Tue, 04 Apr 2006 17:03:11 IST:31100: SA: message too big - skip it Tue, 04 Apr 2006 17:03:11 IST:31100: p_s: finished scan in 0.011766 secs Tue, 04 Apr 2006 17:03:11 IST:31100: ini_sc: finished scan of /var/spool/qmailscan/tmp/ngblhost1114414874176031100... Tue, 04 Apr 2006 17:03:11 IST:31100: -- Process 31100 finished. Total of 1650.008028 secs Are you sure you don't have an actual network problem? can you guide me how can i check that its not a network problem. If none of the Qmail-Scanner subprocesses is responsible for the large times, then there is only one other option - network. Having mismatched duplex settings on the server's Ethernet card can do this, as well as long-distance-over-unreliable-links SMTP clients. i.e. maybe 1299 of those 1300 seconds is actually how long it took the message to be written to the queue - which indicates a slow network - not a software problem. The new release of Qmail-Scanner specifically separates out that time now - for this very reason. Thanks for the help Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV takes long to scan mails
hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files ***clamd.conf - Begin ** LogFile /var/log/clamd.log LogTime LogClean LogSyslog PidFile /var/run/clamav/clamd.pid DatabaseDirectory /usr/share/clamav LocalSocket /var/clamav/clamd.sock FixStaleSocket MaxConnectionQueueLength 20 MaxThreads 30 ReadTimeout 300 User qscand DetectBrokenExecutables ScanMail ScanHTML ScanArchive ScanRAR ***clamd.conf - End ** ***freshclam.conf - Begin ** DatabaseDirectory /usr/share/clamav UpdateLogFile /var/log/clam-update.log DatabaseOwner qscand DatabaseMirror database.clamav.net ***freshclam.conf - End ** the softlimit set for qmail is 300MB. but the time taken to scan a 4 MB mail is too long ... i am dumping the mail header **HEADER START Return-Path: email address protected Delivered-To: somedomain.com-email address protected Received: (qmail 10260 invoked by uid 92); 3 Apr 2006 17:12:12 +0530 Received: from 61.16.161.3 by ngblhost1 (envelope-from email address protected, uid 90) with qmail-scanner-1.24-st-qms (clamdscan: 0.88/1367. spamassassin: 3.1.0. perlscan: 1.24-st-qms. Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs); 03 Apr 2006 11:42:12 - X-Spam-Status: No, hits=? required=? X-Antivirus-MYDOMAIN-Mail-From: email address protected via ngblhost1 X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) Received: from unknown (HELO smtp.io-star.com) (61.16.161.3) by protected-domain with SMTP; 3 Apr 2006 16:50:01 +0530 Received: from Venu (iostar-2-161-16-hkg.io-star.com [61.16.161.2] (may be forged)) (authenticated bits=0) by smtp.io-star.com (8.12.8/8.12.8) with ESMTP id k33AitBC024135; Mon, 3 Apr 2006 16:15:11 +0530 Reply-To: email address protected From: Kabul email address protected To: 'C S Sethi' email address protected, 'charanbir sethi' email address protected Subject: Photo's Date: Mon, 3 Apr 2006 15:35:55 +0430 Organization: BSC - C C JV Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0027_01C65734.514DFFE0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 HEADER END* i cant figure our the possible cause of the delay. can someone help thanks Sandeep P.S.: I am using clamdscan and not clamscan as many qmail installations does that why the User for clamav is qscand so that it can work with qmail-scanner __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
Sandeep Agarwal wrote: P.S.: I am using clamdscan and not clamscan as many qmail installations does that why the User for clamav is qscand so that it can work with qmail-scanner Try using simscan. http://www.inter7.com/?page=simscan I am using it and it is great. P.V.Anthony ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
Sandeep Agarwal wrote: hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files First thing - wrong list - you are really asking a Qmail-Scanner question. Secondly, you don't mention you are also using SpamAssassin (I can see that from the message you included). Check the qmail-queue.log debug file - see where Qmail-Scanner is actually hanging (it keeps track of where all the time goes). I think you'll find it's hanging in SpamAssassin. If I'm wrong and it is clamd - then at least you'll know that much for sure. If it is clamd - then indeed this is the correct list to post this question to. In that case, ensure clamd is logging somewhere - either to a file or to syslog. Then see what clamd reports about these sorts of messages (and if it's SpamAssassin - then I really haven't solved anything. DNS timeouts come to mind - but I don't know how that could ever add up to the 1330 seconds you are seeing) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
--- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files First thing - wrong list - you are really asking a Qmail-Scanner question. Secondly, you don't mention you are also using SpamAssassin (I can see that from the message you included). Check the qmail-queue.log debug file - see where Qmail-Scanner is actually hanging (it keeps track of where all the time goes). I think you'll find it's hanging in SpamAssassin. If I'm wrong and it is clamd - then at least you'll know that much for sure. If it is clamd - then indeed this is the correct list to post this question to. In that case, ensure clamd is logging somewhere - either to a file or to syslog. Then see what clamd reports about these sorts of messages (and if it's SpamAssassin - then I really haven't solved anything. DNS timeouts come to mind - but I don't know how that could ever add up to the 1330 seconds you are seeing) when i re-check the header, as you suggested, i found that spamassassin is not even scanning the mail X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) this is what qmail-scanner has to say about it as on http://qmail-scanner.sourceforge.net/FAQ.php # Why do some messages get tagged with SA:0(?/?) instead of numbers?. SpamAssassins spamd daemon has a max e-mail size limit. If a message is larger than that size, it just returns with no score (as it skipped it). As such Qmail-Scanner has no numbers to report, so it uses ? to show that happened. Also, if some error occurs within SpamAssassin, Qmail-Scanner returns ? again - showing that SA couldn't do the job on that particular mail message. If you use softlimit to limit the max amount of RAM SA can use - that can impact this too. thanks Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
--- Sandeep Agarwal [EMAIL PROTECTED] wrote: --- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files First thing - wrong list - you are really asking a Qmail-Scanner question. Secondly, you don't mention you are also using SpamAssassin (I can see that from the message you included). Check the qmail-queue.log debug file - see where Qmail-Scanner is actually hanging (it keeps track of where all the time goes). I think you'll find it's hanging in SpamAssassin. If I'm wrong and it is clamd - then at least you'll know that much for sure. If it is clamd - then indeed this is the correct list to post this question to. In that case, ensure clamd is logging somewhere - either to a file or to syslog. Then see what clamd reports about these sorts of messages (and if it's SpamAssassin - then I really haven't solved anything. DNS timeouts come to mind - but I don't know how that could ever add up to the 1330 seconds you are seeing) when i re-check the header, as you suggested, i found that spamassassin is not even scanning the mail X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) this is what qmail-scanner has to say about it as on http://qmail-scanner.sourceforge.net/FAQ.php # Why do some messages get tagged with SA:0(?/?) instead of numbers?. SpamAssassins spamd daemon has a max e-mail size limit. If a message is larger than that size, it just returns with no score (as it skipped it). As such Qmail-Scanner has no numbers to report, so it uses ? to show that happened. Also, if some error occurs within SpamAssassin, Qmail-Scanner returns ? again - showing that SA couldn't do the job on that particular mail message. If you use softlimit to limit the max amount of RAM SA can use - that can impact this too. thanks Sandeep checked the logs after sending a mail size 6MB. reading the logs its clear that this is not clamd problem. its something else, whats the w_c:elapsed time in the log below ? i guess its the time waiting in the queue. if yes how can this be fixed ? Tue, 04 Apr 2006 17:02:25 IST:31100: w_c: elapsed time from start 1604.306495 secs Tue, 04 Apr 2006 17:02:26 IST:31100: return-path='***', recips='***' Tue, 04 Apr 2006 17:02:26 IST:31100: from='Sandeep Agarwal ', subj='Fwd: axe effect!!', via SMTP from 206.190.48.98 Tue, 04 Apr 2006 17:03:11 IST:31100: clamdscan: finished scan in 44.9711 secs Tue, 04 Apr 2006 17:03:11 IST:31100: SA: message too big - skip it Tue, 04 Apr 2006 17:03:11 IST:31100: p_s: finished scan in 0.011766 secs Tue, 04 Apr 2006 17:03:11 IST:31100: ini_sc: finished scan of /var/spool/qmailscan/tmp/ngblhost1114414874176031100... Tue, 04 Apr 2006 17:03:11 IST:31100: -- Process 31100 finished. Total of 1650.008028 secs Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
Sandeep Agarwal wrote: checked the logs after sending a mail size 6MB. reading the logs its clear that this is not clamd problem. its something else, whats the w_c:elapsed time in the log below ? i guess its the time waiting in the queue. if yes how can this be fixed ? You don't include the entire log for that particular mail message being processed (and I'm sure the readers of this list appreciate that as this isn't a ClamAV problem). One of those timestamps will be much larger than the others, so that's the one that is the cause of the problem. Are you sure you don't have an actual network problem? If none of the Qmail-Scanner subprocesses is responsible for the large times, then there is only one other option - network. Having mismatched duplex settings on the server's Ethernet card can do this, as well as long-distance-over-unreliable-links SMTP clients. i.e. maybe 1299 of those 1300 seconds is actually how long it took the message to be written to the queue - which indicates a slow network - not a software problem. The new release of Qmail-Scanner specifically separates out that time now - for this very reason. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lurker.clamav.net/list/clamav-users.html