clamav dropping mail

Started by LogicX, April 25, 2005, 05:48:16 PM

Previous topic - Next topic

LogicX

This is a heck of a mystery for me -- I contacted a business that I made a purchase from, after having not heard from them; and they said they did in fact email me.


I didn't receive the email.


/var/log/mail/smtp logs show countless attempts of their mail server trying to send to me:


@40000000426c0f14280e2c5c.s:@40000000426bd1792d55f30c CHKUSER accepted rcpt: from <<a href="mailto:support@executiveasp.com" target="_blank">support@executiveasp.com</a>::> remote <easp-prov1:provisioning.executiveasp.com:204.10.176.52> rcpt <<a href="mailto:ANTISPAM_REDACTED" target="_blank">ANTISPAM_REDACTED</a>> : found existing recipient



/var/log/maillog shows:

Apr 24 14:04:12 coda spamd[15790]: connection from localhost [127.0.0.1] at port 52657

Apr 24 14:04:12 coda spamd[15790]: processing message <000001c548e8$6bb03610$<a href="mailto:34b00acc@easpprov1" target="_blank">34b00acc@easpprov1</a>> for clamav:0.

Apr 24 14:04:14 coda spamd[15790]: clean message (0.4/5.0) for clamav:0 in 2.6 seconds, 9216 bytes.

Apr 24 14:04:14 coda spamd[15790]: result: .  0 - MIME_MISSING_BOUNDARY,NO_REAL_NAME scantime=2.6,size=9216,mid=<000001c548e8$6bb03610$<a href="mailto:34b00acc@easpprov1" target="_blank">34b00acc@easpprov1</a>>,autolearn=no



note the 'for clamav:0' instead of saying my email address, as it normally would.


After that -- there's no record of the email, not in maildrop.log, nothing in /var/log/maillog about delivering it to me, etc. --


I've gotten numerous other emails in this time -- and I'm unable to find any other emails which were processed as 'for clamav:0'


I've enabled ALL clamav logging options, and eagerly await some clue; however unless I get an email from them again, I'm not convinced I'll learn of the problem.


I encourage others to search their logs for a 'for clamav', and see if they're loosing emails.  google shows no results on 'for clamav'


This concerns me greatly; as the last thing I would ever want is my own email server I run to drop emails I desire.  I'll probably start pouring through the source code next to discover what this means.

--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

matt

A clue to help you on your way. The logfile entry you cite is a SpamAssassin entry. It is most likely "for clamav" because your content scanner is running as the system username "clamav".

Now grasshopper, you must ask yourself a couple questions:

1. Why doesn't SpamAssassin know the proper username for the message?
2. What would your system would do with such a message destined to a local user?

Answer those questions and you'll find your answer.


cubera

I've the same problem.

I'm working on answering the questions but the first one seams to be too difficult for me.

LogicX, did you found a solution?

LogicX

cubera wrote on Fri, 20 May 2005 16:16

I've the same problem.

I'm working on answering the questions but the first one seams to be too difficult for me.

LogicX, did you found a solution?


It never happened again, so I've been unable to have a good, repeatable test.

I've gotten busy, and lost interest since the problem hasn't re-appeared.

Matt


1. Why doesn't SpamAssassin know the proper username for the message?
2. What would your system would do with such a message destined to a local user?



1. they didn't have a proper 'To:' field?
2. handled by /var/qmail/alias entries (I just added a .qmail-default there so I'll see if I catch such things in the future?)
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

LogicX

Alright -- I'm having this same issue again -- any more clues Matt?
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

LogicX

using recordio I was able to snag the email as it comes into smtp --

Here's the convo with headers -- nothing seems to jump out at me.

I did however notice that the email did not end properly

A normal closure looks like this:
4000000043949529352f6cd4 3615 < .
400000004394952b399c7384 3615 > 250 ok 1133810977 qp 3618
400000004394952c30d5c32c 3615 < QUIT
400000004394952c30e1e0bc 3615 > 221 mail.logicx.net
@400000004394952c30f447ac 3615 > [EOF]


This instead ends:
@400000004394954420f1401c 3617 < Complaint Dept.
400000004394954420f147ec 3617 < Better Business Bureau of the Southland, Inc.</p>
@400000004394954420f14fbc 3617 < ------=_NextPart_000_0583_01C5F895.5152E5+
400000004394954420f1578c 3617 > 451 See http://pobox.com/~djb/docs/smtplf.html." target="_blank">http://pobox.com/~djb/docs/smtplf.html.

And there you have it I guess --
its a broken email message, sent from a broken mailer, and I suppose that such brokenness leads to more problems down the line -- spamd and clamav ...

@40000000439493b83b0c7674 3432 > 220 mail.logicx.net ESMTP^M
@40000000439493b903a0b40c 3432 < EHLO BBBEMAIL2.labbb.org^M
@40000000439493b903a1e0d4 3432 > 250-mail.logicx.net^M
@40000000439493b903a22b0c 3432 > 250-STARTTLS^M
@40000000439493b903a2698c 3432 > 250-PIPELINING^M
@40000000439493b903a2a03c 3432 > 250-8BITMIME^M
@40000000439493b903a2dad4 3432 > 250-SIZE 0^M
@40000000439493b903a31184 3432 > 250 AUTH LOGIN PLAIN CRAM-MD5^M
@40000000439493b9080955bc 3432 < MAIL FROM:<mailto:cmpl@labbb.org" target="_blank">cmpl@labbb.org>^M
@40000000439493b90faf4c04 3432 > 250 ok^M
@40000000439493b915dd2524 3432 < RCPT TO:<mailto:bbb@logicx.us" target="_blank">bbb@logicx.us>^M
@40000000439493b915e31c7c CHKUSER accepted rcpt: from <mailto:cmpl@labbb.org" target="_blank">cmpl@labbb.org::> remote < BBBEMAIL2.labbb.org:65-60-97-140-cust.telepacific.net:65.60. 97.140 > rcpt <mailto:bbb@logicx.us" target="_blank">bbb@logicx.us> : found existing recipient
@40000000439493b915e3d02c 3432 > 250 ok^M
@40000000439493b91b771ecc 3432 < DATA^M
@40000000439493b91b870cec 3432 > 354 go ahead^M
@40000000439493b92122141c 3432 < Received: from labbb.org ([209.85.136.240]) by BBBEMAIL2.labbb.org with Microsoft SMTPSVC(6.0.3790.1830);^M
@40000000439493b92122e70c 3432 <         Sun, 4 Dec 2005 05:41:04 -0800^M
@40000000439493b921232974 3432 < Received: from bbbweb3 ([192.168.5.103]) by labbb.org with Microsoft SMTPSVC(5.0.2195.6713);^M
@40000000439493b9212367f4 3432 <         Sun, 4 Dec 2005 05:+
@40000000439493b92123ecc4 3432 < 41:04 -0800^M
@40000000439493b92124e6c4 3432 < thread-index: AcX42F92vktNa9B5T1O3Q/mWIaA72g==^M
@40000000439493b92125292c 3432 < Thread-Topic: Your Complaint^M
@40000000439493b9212563c4 3432 < From: <mailto:cmpl@labbb.org" target="_blank">cmpl@labbb.org>^M
@40000000439493b921259e5c 3432 < To: <mailto:bbb@logicx.us" target="_blank">bbb@logicx.us>^M
@40000000439493b92125d50c 3432 < Subject: Your Complaint^M
@40000000439493b921260fa4 3432 < Date: Sun, 4 Dec 2005 05:41:04 -0800^M
@40000000439493b92127443c 3432 < Message-ID: <058201c5f8d8$5f7625d0$mailto:6705a8c0@labbb.org" target="_blank">6705a8c0@labbb.org>^M
@40000000439493b9212782bc 3432 < M+
@40000000439493b92127e84c 3432 < IME-Version: 1.0^M
@40000000439493b921289814 3432 < Content-Type: multipart/alternative;^M
@40000000439493b92128d694 3432 <        boundary="----=_NextPart_000_0583_01C5F895.5152E5D0"^M
@40000000439493b921291514 3432 < X-Mailer: Microsoft CDO for Exchange 2000^M
@40000000439493b921294fac 3432 < Content-Class: urn:content-classes:message^M
@40000000439493b921298a44 3432 < Importance: normal^M
@40000000439493b92129c0f4 3432 < Priority: normal^M
@40000000439493b92129fb8c 3432 < X-MimeOLE: Produced +
@40000000439493b9212a5d34 3432 < By Microsoft MimeOLE V6.00.2800.1506^M
@40000000439493b9212b052c 3432 < Return-Path: mailto:cmpl@labbb.org" target="_blank">cmpl@labbb.org^M
@40000000439493b9212b4794 3432 < X-OriginalArrivalTime: 04 Dec 2005 13:41:04.0813 (UTC) FILETIME=[5F7625D0:01C5F8D8]^M
@40000000439493b9212b8614 3432 < ^M
@40000000439493b9212bbcc4 3432 < This is a multi-part message in MIME format.^M
@40000000439493b9212bf75c 3432 < ^M
@40000000439493b9212c31f4 3432 < ------=_NextPart_000_0583_01C5F895.5152E5D0^M
@40000000439493b9212c6c8c 3432 < Content-T+
@40000000439493b9212cca4c 3432 < ype: text/plain;^M
@40000000439493b921301ddc 3432 <        charset="iso-8859-1"^M
@40000000439493b9213050a4 3432 < Content-Transfer-Encoding: 7bit^M
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com