Thanks for the help. I have set the softlimit to 25M as suggested but it
did not solve the issue. After testing, I am convinced this has something
to do with running spam assassin in daemon mode. Here is the command I am
using to start the daemon:
/usr/bin/spamd --debug -x -L -u spamc
The spamc user does exist and its home directory is /opt/spamassassin. When
I issue the spamc command manually, it does not user pyzor or dcc. Any
thoughts?
Cheers,
matthew
> From: "Mark Simon Powell" <[EMAIL PROTECTED]>
> Date: 6 Sep 2003 15:53:37 +0100
> To: "Matthew Edward Porter" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Qmail-scanner-general]QS + SpamAssassin with DCC & Pyzor
>
> On Fri, 5 Sep 2003, Matthew Edward Porter wrote:
>
>> Below are the logs for QS and SA for a test message I sent containing a PDF
>> file and some text. I will be posting the same information to the SA list.
>> Neither log says anything about pyzor or dcc. The softlimit for qmail-smtpd
>> is set to 5000000.
>
> I'm assuming your using the softlimit program from daemontools? Starting
> qmail-smtpd with:
>
> /usr/local/bin/softlimit -m 5000000 ...
>
> If so then 5M is ample for stock qmail-smtpd, but for QS which is a perl
> script, spamc and your virus scanners this is probably way too low. Try
> the suggested 25M instead. See if it works then. If so bring it down step
> by step until it stops working and then add a few meg on, to be on the
> safe side. All this is in QS README BTW.
> Cheers.
>
>>
>> Any thoughts?
>>
>>
>> Cheers,
>> matthew
>>
>>
>>
>> SPAMASSASSIN LOG
>> 2003-09-05 16:01:24.630841500 logmsg: connection from localhost [127.0.0.1]
>> at port 43656
>> 2003-09-05 16:01:24.645354500 logmsg: processing message
>> <[EMAIL PROTECTED]> for qscand:351.
>> 2003-09-05 16:01:24.649457500 debug: bayes: 29889 tie-ing to DB file R/O
>> /opt/spamassassin/.spamassassin/bayes_toks
>> 2003-09-05 16:01:24.650583500 debug: bayes: 29889 tie-ing to DB file R/O
>> /opt/spamassassin/.spamassassin/bayes_seen
>> 2003-09-05 16:01:24.651115500 debug: debug: Only 1 spam(s) in Bayes DB < 200
>> 2003-09-05 16:01:24.651174500 debug: bayes: 29889 untie-ing
>> 2003-09-05 16:01:24.651203500 debug: bayes: 29889 untie-ing db_toks
>> 2003-09-05 16:01:24.651455500 debug: bayes: 29889 untie-ing db_seen
>> 2003-09-05 16:01:24.651856500 debug: running header regexp tests; score so
>> far=0
>> 2003-09-05 16:01:24.663326500 debug: running body-text per-line regexp
>> tests; score so far=0
>> 2003-09-05 16:01:24.679329500 debug: running raw-body-text per-line regexp
>> tests; score so far=0
>> 2003-09-05 16:01:24.679949500 debug: running uri tests; score so far=0
>> 2003-09-05 16:01:24.680139500 debug: uri tests: Done uriRE
>> 2003-09-05 16:01:24.680868500 debug: running full-text regexp tests; score
>> so far=0
>> 2003-09-05 16:01:24.682803500 debug: all '*From' addrs: [EMAIL PROTECTED]
>> 2003-09-05 16:01:24.683607500 debug: all '*To' addrs:
>> [EMAIL PROTECTED]
>> 2003-09-05 16:01:24.683961500 debug: forged_rcvd_trail: entry 0:
>> by=metissian.com from=(undef) mismatches=0
>> 2003-09-05 16:01:24.684026500 debug: forged_rcvd_trail: entry 1: by=mac.com
>> from=mac.com mismatches=0
>> 2003-09-05 16:01:24.686975500 debug: running meta tests; score so far=0
>> 2003-09-05 16:01:24.687722500 debug: auto-learn? safety=4, ham=-2, spam=15,
>> body-hits=0, head-hits=0
>> 2003-09-05 16:01:24.687749500 debug: auto-learn: currently using scoreset 0.
>> no need to recompute.
>> 2003-09-05 16:01:24.687769500 debug: auto-learn? no: inside auto-learn
>> thresholds or safety zone around required_hits
>> 2003-09-05 16:01:24.687857500 debug: is spam? score=0 required=5
>> tests=USER_AGENT_APPLEMAIL
>> 2003-09-05 16:01:24.692358500 logmsg: clean message (0.0/5.0) for qscand:351
>> in 0.1 seconds, 137145 bytes.
>> 2003-09-05 16:01:24.692653500 debug: bayes: 29889 untie-ing
>>
>>
>> QMAIL-SCANNER LOG
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: +++ starting debugging for process
>> 29880 by uid=89 at Fri, 05 Sep 2003 16:01:24 -0500
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: setting UID to EUID so subprocesses
>> can access files generated by this script
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: program name is
>> qmail-scanner-queue.pl, version 1.20rc3
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: incoming SMTP connection from via
>> smtp from 17.250.248.89
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: mkdir
>> /var/spool/qmailscan/morpheus106279568445629880
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: start dumping incoming msg into
>> /var/spool/qmailscan/working/tmp/morpheus106279568445629880
>> [1062795684.26177]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: primary Content-Type of
>> multipart/mixed found
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: found a top-level boundary
>> definition of Apple\-Mail\-6\-736610710
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 1: Content-Type of
>> text/plain found
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: found C-T attachment filename
>> clamdoc.pdf
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 2: Content-Type of
>> application/pdf found
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: rename new msg from
>> /var/spool/qmailscan/working/tmp/morpheus106279568445629880 to
>> /var/spool/qmailscan/working/new/morpheus106279568445629880
>> [1062795684.59236]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: starting
>> /usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
>> </var/spool/qmailscan/working/new/morpheus106279568445629880
>> [1062795684.59263]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: finished
>> /usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
>> [1062795684.6086]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Checking all attachments to see
>> if they're MS-TNEF
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
>> /var/spool/qmailscan/morpheus106279568445629880/clamdoc.pdf is a TNEF file?:
>> 256 [1062795684.61052]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
>> /var/spool/qmailscan/morpheus106279568445629880/1062795684.29882-0.morpheus
>> is a TNEF file?: 256 [1062795684.61237]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Manually unpack any zip files as
>> some virus scanners don't do zip under Unix!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: unpacking message took 0.02006
>> seconds
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: unsetting QMAILQUEUE env var
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: g_e_h: return-path is
>> "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: from="Matthew E. Porter"
>> <[EMAIL PROTECTED]>,subj=pyzor/dcc test 1,
>> x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
>> via smtp from 17.250.248.89
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: start scanning
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: recursively scan the
>> directory /var/spool/qmailscan/morpheus106279568445629880/
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: starting scan of directory
>> "/var/spool/qmailscan/morpheus106279568445629880"...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
>> scanner=clamuko_scanner,plain_text_msg=0
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: starting scan of directory
>> "/var/spool/qmailscan/morpheus106279568445629880"...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: run /opt/clamav/bin/clamdscan -r
>> --disable-summary --max-recursion=10 --max-space=1000000
>> /var/spool/qmailscan/morpheus106279568445629880 2>&1
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: --output of clamuko was:
>> /var/spool/qmailscan/morpheus106279568445629880: OK
>> --
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: finished scan of dir
>> "/var/spool/qmailscan/morpheus106279568445629880" in 0.010678 secs
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
>> scanner=spamassassin,plain_text_msg=0
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: run /usr/bin/spamc -f <
>> /var/spool/qmailscan/working/new/morpheus106279568445629880
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: overwriting
>> /var/spool/qmailscan/working/new/morpheus106279568445629880 with
>> /var/spool/qmailscan/working/new/morpheus106279568445629880.spamc
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: spamassassin: finished scan of dir
>> "/var/spool/qmailscan/morpheus106279568445629880" in 0.085642 secs
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: finished scan of
>> "/var/spool/qmailscan/morpheus106279568445629880"...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: starting scan of directory
>> "/var/spool/qmailscan/morpheus106279568445629880"...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '81:ILOVEYOU' = 'Virus-subject'
>> = 'Love Letter Virus/Trojan'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> subject: ILOVEYOU
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '82:message/partial.*' =
>> 'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> content-type: message/partial.*
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '85:.{100,}' = 'Virus-date' =
>> 'MIME Header Buffer Overflow'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> date: .{100,}
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '86:.{100,}' =
>> 'Virus-mime-version' = 'MIME Header Buffer Overflow '
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> mime-version: .{100,}
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '87:.{100,}' =
>> 'Virus-resent-date' = 'MIME Header Buffer Overflow'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> resent-date: .{100,}
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:
>> '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>> com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>> e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
>> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
>> krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
>> to:
>> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
>> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>> m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>> cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>> atka.net|[EMAIL PROTECTED]
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'eicar.com' = '69' = 'EICAR
>> Test Virus'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'happy99.exe' = '10000' =
>> 'Happy99 Trojan'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'zipped_files.exe' = '120495' =
>> 'W32/ExploreZip.worm.pak virus'
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
>> perlscanner database...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
>> to clamdoc.pdf and has extension .pdf
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
>> perlscanner database
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: skipping auto-generated file
>> 1062795684.29882-0.morpheus
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
>> perlscanner database...
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
>> to clamdoc.pdf and has extension .pdf
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
>> perlscanner database
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: finished scan of dir
>> "/var/spool/qmailscan/morpheus106279568445629880" in 0.002922 secs
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: scanning message took
>> 0.099788 seconds
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: q_r: fork off child into
>> /var/qmail/bin/qmail-queue...
>> Fri, 05 Sep 2003 16:01:24 -0500:29890: q_r: xstatus=0
>> Fri, 05 Sep 2003 16:01:24 -0500:29880: cleanup: /bin/rm -rf
>> /var/spool/qmailscan/morpheus106279568445629880/
>> /var/spool/qmailscan/working/new/morpheus106279568445629880
>> 05/09/2003 16:01:24:29880: all finished. Total of 0.563409 secs
>>
>>> From: "Steve Fulton" <[EMAIL PROTECTED]>
>>> Date: Fri, 5 Sep 2003 14:55:50 -0400 (EDT)
>>> To: [EMAIL PROTECTED]
>>> Subject: Re: [Qmail-scanner-general]QS + SpamAssassin with DCC & Pyzor
>>>
>>>> Anybody have any guesses, theories, and/or ideas? Thanks in advance!
>>>
>>> First I must ask what the logs say? Turn on debugging in Q-S and SA
>>> (you'll have to run the daemon in the foreground though, and cut and paste
>>> teh content). Fire a few test messages through. Look at what it says for
>>> DCC and Pyzor. If you still can't figure it out, ask the Q-S list AND the
>>> SA list, since it may be related to one or the other (though I'm betting
>>> its a SA issue). One guess may be memory -- what do you have softlimit
>>> set to?
>>>
>>> -- Steve
>>>
>>>
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by:ThinkGeek
>>> Welcome to geek heaven.
>>> http://thinkgeek.com/sf
>>> _______________________________________________
>>> Qmail-scanner-general mailing list
>>> [EMAIL PROTECTED]
>>> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>>>
>>
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Qmail-scanner-general mailing list
>> [EMAIL PROTECTED]
>> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>>
>
> --
> Mark Powell - UNIX System Administrator - The University of Salford
> Information Services Division, Clifford Whitworth Building,
> Salford University, Manchester, M5 4WT, UK.
> Tel: +44 161 295 4837 Fax: +44 161 295 5888 www.pgp.com for PGP key
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
