I have a weird problem with some virus messages getting corrupted (we
detect about 2 up to 3 such corrupted messages per month).
The box does about 50000 deliveries per day. I have no other reports
about corrupted messages, so I guess this is not some hardware issue.
First, a description of the message flow:
1. Qmail receives a message for a local user.
2. qmail-lspawn invokes /var/qmail/bin/qmail-local, which is in fact a
symlink to a tweaked amavis-sh script.
3. The script invokes:
cat | ${formail} -f -A "${X_Header_String}" >${tmpdir}/receivedmail
which stores the message (read from stdin, which probably opened from
the queue) to a file
4. The script MIME-unpacks the message with
${metamail} -x${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1
($metamail is /usr/local/bin/reformime in my case)
5. Since the message contains an attachment with filename ending with an
".exe", namely "Update136-20.exe", md5sum is ran on it (this is my
modification). md5sum reports "8f0730eec78b2c4f0586fe69c5f17983"
6. The script performs some further checks, however it does not modify
the file "receivedmail"
7. Since the virus scanners report no virii, the script finally calls:
/var/qmail/bin/qmail-local-real "$@" < ${tmpdir}/receivedmail
(that is the real qmail-local)
8. qmail-local runs maildrop, since the user doesn't have a .qmail file,
and maildrop is specified as the "defaultdelivery"
9. the user has only a skeletal .mailfilter file:
FROM='[EMAIL PROTECTED]'
to "./Maildir/"
10. maildrop delivers the file to the user's maildir
Now the weird thing:
When I take this message, extract the attachment and run md5sum on it,
it reports sum "4613a17f12531d21c683023ffa4b4a34". I get this sum when I
extract the message with mutt, reformime, or if I inject the message to
qmail again so it runs the above procedure once again.
I suspect the message gets corrupted somewhere between qmail-local and
user's maildir, but I have no idea how or when exactly this might
happen? The message looks properly formatted plaintext/html +
attachment. I can provide it if someone's interested.
The thing that bugs me most is that AVP doesn't detect that the message
is a virus during the first delivery, but does detect it on subsequent
deliveries.
I'm really puzzled. Any hints are welcome.
Marcin
--
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
