Report: MailScanner: Message attempted to kill MailScanner

Hi there.

After my install for the spamspanke for ubuntu-jeos-10.10-maverick-meerkat guide. I receive many of these emails and some users mails appear to be wrongly blocked.

Report: MailScanner: Message attempted to kill MailScanner

I googled and found some mention of winmail.dat i tried changing a few things but the message persists and users emails are being blocked.

Anyone have this issue?

Thanks!

 

What's in your mail.log?

 

Dec 20 10:11:01 belatrix MailScanner[18378]: Making attempt 6 at processing message D15FF440361.A2C11
Dec 20 10:11:01 belatrix MailScanner[18378]: New Batch: Scanning 1 messages, 586001 bytes
Dec 20 10:11:01 belatrix MailScanner[18453]: MailScanner E-Mail Virus Scanner version 4.81.4 starting...
Dec 20 10:11:02 belatrix MailScanner[18453]: Reading configuration file /opt/MailScanner/etc/MailScanner.conf
Dec 20 10:11:02 belatrix MailScanner[18453]: Reading configuration file /opt/MailScanner/etc/conf.d/README
Dec 20 10:11:02 belatrix MailScanner[18453]: Read 867 hostnames from the phishing whitelist
Dec 20 10:11:02 belatrix MailScanner[18453]: Read 4445 hostnames from the phishing blacklists
Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaLowScore
Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaBlacklist
Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa blacklists
Dec 20 10:11:02 belatrix MailScanner[18453]: Read 0 blacklist items
Dec 20 10:11:02 belatrix MailScanner[18453]: Ip blocks blacklisted:
Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaSQL
Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa SQL logger
Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaHighScore
Dec 20 10:11:02 belatrix MailScanner[18453]: Baruwa - Populating high spam score settings
Dec 20 10:11:02 belatrix MailScanner[18453]: Read 4 high spam score settings
Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaWhitelist
Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa whitelists
Dec 20 10:11:02 belatrix MailScanner[18453]: Read 5 whitelist items
Dec 20 10:11:02 belatrix MailScanner[18453]: Ip blocks whitelisted:
Dec 20 10:11:02 belatrix MailScanner[18453]: Using SpamAssassin results cache
Dec 20 10:11:02 belatrix MailScanner[18453]: Connected to SpamAssassin cache database
Dec 20 10:11:02 belatrix MailScanner[18453]: Enabling SpamAssassin auto-whitelist functionality...
Dec 20 10:11:04 belatrix MailScanner[17264]: Quarantined message D15FF440361.A2C11 as it caused MailScanner to crash several times
Dec 20 10:11:04 belatrix MailScanner[17264]: Saved entire message to /var/spool/MailScanner/quarantine/20101220/D15FF440361.A2C11
Dec 20 10:11:05 belatrix MailScanner[17264]: New Batch: Scanning 1 messages, 586001 bytes
Dec 20 10:11:05 belatrix MailScanner[17264]: Sender Warnings: Delivered 1 warnings to virus senders
Dec 20 10:11:05 belatrix postfix/pickup[18244]: 9D8FB440360: uid=103 from=<>
Dec 20 10:11:05 belatrix postfix/cleanup[18486]: 9D8FB440360: message-id=<[email protected]>
Dec 20 10:11:05 belatrix postfix/qmgr[28224]: 9D8FB440360: from=<>, size=1215, nrcpt=1 (queue active)
Dec 20 10:11:05 belatrix postfix/pickup[18244]: AC3F1440361: uid=103 from=<postmaster>
Dec 20 10:11:05 belatrix postfix/cleanup[18486]: AC3F1440361: message-id=<[email protected]>
Dec 20 10:11:05 belatrix MailScanner[17264]: Notices: Warned about 1 messages
Dec 20 10:11:05 belatrix MailScanner[17264]: Deleted 1 messages from processing-database
Dec 20 10:11:05 belatrix MailScanner[17264]: Logging message D15FF440361.A2C11 to Baruwa SQL
Dec 20 10:11:05 belatrix MailScanner[17674]: D15FF440361.A2C11: Logged to Baruwa SQL


This matches the mail.

Subject: re: ORION Proposal
MessageID: D15FF440361.A2C11
Quarantine: /var/spool/MailScanner/quarantine/20101220/D15FF440361.A2C11
Report: MailScanner: Message attempted to kill MailScanner

 

What do you have in your clamav.log?

Do the mails have any documents attached?

Also, check to see if the hard drive is full.

 

Actually my clamav log is empty.

 

hmm which clam should be installed. I may have an extra version installed. I would like to clean this up and ensure clam os correctly linked. Perhaps I should redo that section.

[email protected]:~# dpkg --get-selections | grep -i clam
clamav install
clamav-base install
clamav-daemon install
clamav-freshclam install
libclamav6 install

 

No, those are the packages that should be installed.

You can redo it by doing:

apt-get remove --purge clamav-daemon libclamav6

apt-get install clamav-deamon libclamav6


Is your partition full by chance?

 

Checked my space I am good on that. looking into the log further I see fuzzy not connecting even though I did specify the password on the db and in the .cf and clean-sql files.

Dec 20 11:36:37.238 [21273] dbg: FuzzyOcr: Connecting to: dbi:mysql:database=FuzzyOcr;mysql_socket=/tmp/mysql.sock
Dec 20 11:36:37.242 [21273] warn: DBI connect('database=FuzzyOcr;mysql_socket=/tmp/mysql.sock','fuzzyocr',...) failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) at /usr/share/perl5/FuzzyOcr/Config.pm line 194

 

Open /etc/spamassassin/FuzzyOcr.cf and make sure this is specified:

focr_mysql_socket /var/run/mysqld/mysqld.sock

Should be where you specified the other mysql settings. Your Fuzzy is looking for the sock in the wrong place.

 

Ahh excellent thank you for noticing that.


Do you have any idea why I am getting these when running the lint?

ec 20 13:51:14.681 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <META HTTP-EQUIV="Expires" CONTENT="-1">
Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <TITLE></TITLE>
Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": </HEAD>
Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <BODY><P></BODY>
Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": </HTML>
Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd">
Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <!-- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": "http://www.w3.org/TR/html4/strict.dtd"> -->
Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <HTML>
Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <HEAD>
Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Refresh" CONTENT="0.1">
Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Expires" CONTENT="-1">
Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <TITLE></TITLE>
Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": </HEAD>
Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <BODY><P></BODY>

 

You have downloaded HTML files instead of actual spamassassin rules files.

 

OK everything is looking really good. Just the two last issues.

the aforementioned parse error and a clamav issue.

Ubuntu comes with amavis-new..should i leave that installed ? Will it conflict with permissions?

Right now in mail.log i see

MailScanner[6459]: Cannot find Socket (/var/run/clamav/clamd.ctl) Exiting!

Thanks so much for your support!

 

Oh really ? How should I go about redownloading the correct files?

 

ahhh

/usr/bin/wget http://www.rulesemporium.com/rules/70_sare_header0.cf


-2010-12-20 15:18:26-- http://www.rulesemporium.com/rules/70_sare_header0.cf
Resolving www.rulesemporium.com... 72.52.4.74
Connecting to www.rulesemporium.com|72.52.4.74|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2010-12-20 15:18:27 ERROR 404: Not Found.



the files don't exist anymore

 

Ok i manually got the .cf files I could find, so I am all set.


So back to the original issue.


Report: MailScanner: Message attempted to kill MailScanner

This still occurs and in my log file I see
Dec 20 15:28:36 belatrix MailScanner[9362]: Reading configuration file /opt/MailScanner/etc/conf.d/README
Dec 20 15:28:36 belatrix MailScanner[9362]: Read 867 hostnames from the phishing whitelist
Dec 20 15:28:36 belatrix MailScanner[32693]: Warning: skipping message ED315440084.A2C21 as it has been attempted too many times
Dec 20 15:28:36 belatrix MailScanner[32693]: Quarantined message ED315440084.A2C21 as it caused MailScanner to crash several times
Dec 20 15:28:36 belatrix MailScanner[32693]: Saved entire message to /var/spool/MailScanner/quarantine/20101220/ED315440084.A2C21

 

Did you try to reinstall clamav? After you've reinstalled it, run freshclam to update the defs. It may take a few mins. After that, I would restart mailscanner and check the logs.

 

ok looking good. was i correct to uninstall amavis-new? It was running clam amavis user and causing issues during initial install.

 

Yes, this setup does not use amavis, no clue why it was installed. So is everything sorted out now?

 

Everything appears to be running smoothly and no more false positives or errors. I would like to get the rest of those cf files it seems that site www.rulesemporium.com is down.

fuzzy-mysql cleaner kills my cpu when it's run not to sure why, i was going to trace that.

I need to do some more poking around to ensure a clean setup and start a decent backup regimen. Plus ensure I can handle any outages or daemon failures.

Thanks again.

 

There is a cron job for Baruwa that updates spamassassin so you don't have to. Look at the guide, I'm sure it's there. You can run it like:
manage.py updatesarule

If you mail log looks clean, then I won't thing everything's running as it should.

Make sure you change the database connection settings of /usr/sbin/fuzzy-cleanmysql to whatever you used for your FuzzyOcr database.