Report: MailScanner: Message attempted to kill MailScanner

Discussion in 'HOWTO-Related Questions' started by macross, Dec 20, 2010.

  1. macross

    macross New Member

    Hi there.

    After my install for the spamspanke for ubuntu-jeos-10.10-maverick-meerkat guide. I receive many of these emails and some users mails appear to be wrongly blocked.

    Report: MailScanner: Message attempted to kill MailScanner

    I googled and found some mention of winmail.dat i tried changing a few things but the message persists and users emails are being blocked.

    Anyone have this issue?

    Thanks!
     
  2. Rocky

    Rocky Member

    What's in your mail.log?
     
  3. macross

    macross New Member

    Dec 20 10:11:01 belatrix MailScanner[18378]: Making attempt 6 at processing message D15FF440361.A2C11
    Dec 20 10:11:01 belatrix MailScanner[18378]: New Batch: Scanning 1 messages, 586001 bytes
    Dec 20 10:11:01 belatrix MailScanner[18453]: MailScanner E-Mail Virus Scanner version 4.81.4 starting...
    Dec 20 10:11:02 belatrix MailScanner[18453]: Reading configuration file /opt/MailScanner/etc/MailScanner.conf
    Dec 20 10:11:02 belatrix MailScanner[18453]: Reading configuration file /opt/MailScanner/etc/conf.d/README
    Dec 20 10:11:02 belatrix MailScanner[18453]: Read 867 hostnames from the phishing whitelist
    Dec 20 10:11:02 belatrix MailScanner[18453]: Read 4445 hostnames from the phishing blacklists
    Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaLowScore
    Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaBlacklist
    Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa blacklists
    Dec 20 10:11:02 belatrix MailScanner[18453]: Read 0 blacklist items
    Dec 20 10:11:02 belatrix MailScanner[18453]: Ip blocks blacklisted:
    Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaSQL
    Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa SQL logger
    Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaHighScore
    Dec 20 10:11:02 belatrix MailScanner[18453]: Baruwa - Populating high spam score settings
    Dec 20 10:11:02 belatrix MailScanner[18453]: Read 4 high spam score settings
    Dec 20 10:11:02 belatrix MailScanner[18453]: Config: calling custom init function BaruwaWhitelist
    Dec 20 10:11:02 belatrix MailScanner[18453]: Starting Baruwa whitelists
    Dec 20 10:11:02 belatrix MailScanner[18453]: Read 5 whitelist items
    Dec 20 10:11:02 belatrix MailScanner[18453]: Ip blocks whitelisted:
    Dec 20 10:11:02 belatrix MailScanner[18453]: Using SpamAssassin results cache
    Dec 20 10:11:02 belatrix MailScanner[18453]: Connected to SpamAssassin cache database
    Dec 20 10:11:02 belatrix MailScanner[18453]: Enabling SpamAssassin auto-whitelist functionality...
    Dec 20 10:11:04 belatrix MailScanner[17264]: Quarantined message D15FF440361.A2C11 as it caused MailScanner to crash several times
    Dec 20 10:11:04 belatrix MailScanner[17264]: Saved entire message to /var/spool/MailScanner/quarantine/20101220/D15FF440361.A2C11
    Dec 20 10:11:05 belatrix MailScanner[17264]: New Batch: Scanning 1 messages, 586001 bytes
    Dec 20 10:11:05 belatrix MailScanner[17264]: Sender Warnings: Delivered 1 warnings to virus senders
    Dec 20 10:11:05 belatrix postfix/pickup[18244]: 9D8FB440360: uid=103 from=<>
    Dec 20 10:11:05 belatrix postfix/cleanup[18486]: 9D8FB440360: message-id=<[email protected]>
    Dec 20 10:11:05 belatrix postfix/qmgr[28224]: 9D8FB440360: from=<>, size=1215, nrcpt=1 (queue active)
    Dec 20 10:11:05 belatrix postfix/pickup[18244]: AC3F1440361: uid=103 from=<postmaster>
    Dec 20 10:11:05 belatrix postfix/cleanup[18486]: AC3F1440361: message-id=<[email protected]>
    Dec 20 10:11:05 belatrix MailScanner[17264]: Notices: Warned about 1 messages
    Dec 20 10:11:05 belatrix MailScanner[17264]: Deleted 1 messages from processing-database
    Dec 20 10:11:05 belatrix MailScanner[17264]: Logging message D15FF440361.A2C11 to Baruwa SQL
    Dec 20 10:11:05 belatrix MailScanner[17674]: D15FF440361.A2C11: Logged to Baruwa SQL


    This matches the mail.

    Subject: re: ORION Proposal
    MessageID: D15FF440361.A2C11
    Quarantine: /var/spool/MailScanner/quarantine/20101220/D15FF440361.A2C11
    Report: MailScanner: Message attempted to kill MailScanner
     
  4. Rocky

    Rocky Member

    What do you have in your clamav.log?

    Do the mails have any documents attached?

    Also, check to see if the hard drive is full.
     
    Last edited: Dec 20, 2010
  5. macross

    macross New Member

    Actually my clamav log is empty.
     
  6. macross

    macross New Member

    hmm which clam should be installed. I may have an extra version installed. I would like to clean this up and ensure clam os correctly linked. Perhaps I should redo that section.

    root@belatrix:~# dpkg --get-selections | grep -i clam
    clamav install
    clamav-base install
    clamav-daemon install
    clamav-freshclam install
    libclamav6 install
     
  7. Rocky

    Rocky Member

    No, those are the packages that should be installed.

    You can redo it by doing:

    apt-get remove --purge clamav-daemon libclamav6

    apt-get install clamav-deamon libclamav6


    Is your partition full by chance?
     
  8. macross

    macross New Member

    Checked my space I am good on that. looking into the log further I see fuzzy not connecting even though I did specify the password on the db and in the .cf and clean-sql files.

    Dec 20 11:36:37.238 [21273] dbg: FuzzyOcr: Connecting to: dbi:mysql:database=FuzzyOcr;mysql_socket=/tmp/mysql.sock
    Dec 20 11:36:37.242 [21273] warn: DBI connect('database=FuzzyOcr;mysql_socket=/tmp/mysql.sock','fuzzyocr',...) failed: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) at /usr/share/perl5/FuzzyOcr/Config.pm line 194
     
  9. Rocky

    Rocky Member

    Open /etc/spamassassin/FuzzyOcr.cf and make sure this is specified:

    focr_mysql_socket /var/run/mysqld/mysqld.sock

    Should be where you specified the other mysql settings. Your Fuzzy is looking for the sock in the wrong place.
     
  10. macross

    macross New Member

    Ahh excellent thank you for noticing that.


    Do you have any idea why I am getting these when running the lint?

    ec 20 13:51:14.681 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <META HTTP-EQUIV="Expires" CONTENT="-1">
    Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <TITLE></TITLE>
    Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": </HEAD>
    Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": <BODY><P></BODY>
    Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_FVGT_Tripwire.cf": </HTML>
    Dec 20 13:51:14.682 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/strict.dtd">
    Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <!-- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
    Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": "http://www.w3.org/TR/html4/strict.dtd"> -->
    Dec 20 13:51:14.683 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <HTML>
    Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <HEAD>
    Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Refresh" CONTENT="0.1">
    Dec 20 13:51:14.760 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
    Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <META HTTP-EQUIV="Expires" CONTENT="-1">
    Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <TITLE></TITLE>
    Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": </HEAD>
    Dec 20 13:51:14.761 [32499] info: config: failed to parse line, skipping, in "/etc/spamassassin/99_sare_fraud_post25x.cf": <BODY><P></BODY>
     
  11. topdog

    topdog Active Member

    You have downloaded HTML files instead of actual spamassassin rules files.
     
  12. macross

    macross New Member

    OK everything is looking really good. Just the two last issues.

    the aforementioned parse error and a clamav issue.

    Ubuntu comes with amavis-new..should i leave that installed ? Will it conflict with permissions?

    Right now in mail.log i see

    MailScanner[6459]: Cannot find Socket (/var/run/clamav/clamd.ctl) Exiting!

    Thanks so much for your support!
     
  13. macross

    macross New Member


    Oh really ? How should I go about redownloading the correct files?
     
  14. macross

    macross New Member

  15. macross

    macross New Member

    Ok i manually got the .cf files I could find, so I am all set.


    So back to the original issue.


    Report: MailScanner: Message attempted to kill MailScanner

    This still occurs and in my log file I see
    Dec 20 15:28:36 belatrix MailScanner[9362]: Reading configuration file /opt/MailScanner/etc/conf.d/README
    Dec 20 15:28:36 belatrix MailScanner[9362]: Read 867 hostnames from the phishing whitelist
    Dec 20 15:28:36 belatrix MailScanner[32693]: Warning: skipping message ED315440084.A2C21 as it has been attempted too many times
    Dec 20 15:28:36 belatrix MailScanner[32693]: Quarantined message ED315440084.A2C21 as it caused MailScanner to crash several times
    Dec 20 15:28:36 belatrix MailScanner[32693]: Saved entire message to /var/spool/MailScanner/quarantine/20101220/ED315440084.A2C21
     
  16. Rocky

    Rocky Member

    Did you try to reinstall clamav? After you've reinstalled it, run freshclam to update the defs. It may take a few mins. After that, I would restart mailscanner and check the logs.
     
  17. macross

    macross New Member

    ok looking good. was i correct to uninstall amavis-new? It was running clam amavis user and causing issues during initial install.
     
    Last edited: Dec 20, 2010
  18. Rocky

    Rocky Member

    Yes, this setup does not use amavis, no clue why it was installed. So is everything sorted out now?
     
  19. macross

    macross New Member

    Everything appears to be running smoothly and no more false positives or errors. I would like to get the rest of those cf files it seems that site www.rulesemporium.com is down.

    fuzzy-mysql cleaner kills my cpu when it's run not to sure why, i was going to trace that.

    I need to do some more poking around to ensure a clean setup and start a decent backup regimen. Plus ensure I can handle any outages or daemon failures.

    Thanks again.
     
  20. Rocky

    Rocky Member

    There is a cron job for Baruwa that updates spamassassin so you don't have to. Look at the guide, I'm sure it's there. You can run it like:
    manage.py updatesarule

    If you mail log looks clean, then I won't thing everything's running as it should.

    Make sure you change the database connection settings of /usr/sbin/fuzzy-cleanmysql to whatever you used for your FuzzyOcr database.
     

Share This Page