Here is the mail message header: -
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 15388 invoked by uid 504); 19 May
2004 15:34:13 -0000
Received: from [EMAIL PROTECTED] by mail.example.com
by uid 501 with qmail-scanner-1.16 (ehost Clear:.
Processed in 11.096361 secs); 19 May 2004 15:34:13
-0000
Received: from unknown (HELO mail.yahoo.com) (1.1.1.1)
by 0 with SMTP; 19 May 2004 15:34:02 -0000
Received: from mail.yahoo.com (intermail [127.0.0.1])
by mail.yahoo.com (8.12.8/8.12.8) with ESMTP id
i4JFUssu019078 for <[EMAIL PROTECTED]>; Wed, 19
May 2004 23:30:54 +0800
From: "rootlinux" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] Subject: test - 11:41pm
Date: Wed, 19 May 2004 23:30:54 +0800
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0 Content-Type:
Here is the qmail-queue.log: -
19/05/2004 23:34:02:15383: +++ starting debugging for
process 15383 by uid=501 at 19/05/2004 23:34:02
19/05/2004 23:34:02:15383: setting UID to EUID so
subprocesses can access files generated by this script
19/05/2004 23:34:02:15383: program name is
qmail-scanner-queue.pl, version 1.16
19/05/2004 23:34:02:15383: incoming SMTP connection
from via smtp from 1.1.1.1
19/05/2004 23:34:02:15383: w_c: mkdir
/var/spool/qmailscan/mail.example.com108498084243115383
19/05/2004 23:34:02:15383: w_c: start dumping incoming
msg into
/var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
[1084980842.13506]
19/05/2004 23:34:02:15383: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
to
/var/spool/qmailscan/working/new/mail.example.com108498084243115383
[1084980852.63514]
19/05/2004 23:34:02:15383: d_m: starting
/usr/local/bin/reformime
-x/var/spool/qmailscan/mail.example.com108498084243115383/
</var/spool/qmailscan/working/new/mail.example.com108498084243115383
[1084980852.63558]
19/05/2004 23:34:02:15383: d_m: finished
/usr/local/bin/reformime
-x/var/spool/qmailscan/mail.example.com108498084243115383/
[1084980852.69235]
19/05/2004 23:34:02:15383: d_m: Manually unpack any
zip files as some virus scanners don't do zip under
Unix!
19/05/2004 23:34:02:15383: d_m: unpacking message took
0.057176 seconds
19/05/2004 23:34:02:15383: unsetting QMAILQUEUE env
var
19/05/2004 23:34:02:15383: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is
"[EMAIL PROTECTED]"
19/05/2004 23:34:02:15383: from="rootlinux"
<[EMAIL PROTECTED]>,subj=test - 11:41pm,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
via smtp from 1.1.1.1
19/05/2004 23:34:02:15383: ini_sc: start scanning
19/05/2004 23:34:02:15383: p_s: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: p_s: '81:ILOVEYOU' =
'Virus-subject' = 'Love Letter Virus/Trojan'
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing subject: ILOVEYOU
19/05/2004 23:34:02:15383: p_s: '82:message/partial'
= 'Virus-content-type' = 'Message/partial MIME
attachments blocked by policy'
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing content-type: message/partial
19/05/2004 23:34:02:15383: p_s: '85:.{100,}' =
'Virus-date' = 'MIME Header Buffer Overflow'
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing date: .{100,}
19/05/2004 23:34:02:15383: p_s: '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing mime-version: .{100,}
19/05/2004 23:34:02:15383: p_s: '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing resent-date: .{100,}
19/05/2004 23:34:02:15383: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]'
= 'Virus-to' = 'BadTrans Trojan exploit!'
19/05/2004 23:34:02:15383: p_s: type is a header!
19/05/2004 23:34:02:15383: p_s: checking for objects
containing to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
19/05/2004 23:34:02:15383: p_s: 'eicar.com' = '69' =
'EICAR Test Virus'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s: 'happy99.exe' =
'10000' = 'Happy99 Trojan'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s: 'zipped_files.exe' =
'120495' = 'W32/ExploreZip.worm.pak virus'
19/05/2004 23:34:02:15383: p_s: type is a size!
19/05/2004 23:34:02:15383: p_s: skipping
auto-generated file
1084980852.15385-0.mail.example.com
19/05/2004 23:34:02:15383: p_s: checking WMSysPr9.prx
against perlscanner database...
19/05/2004 23:34:02:15383: p_s: file WMSysPr9.prx is
lowercased to wmsyspr9.prx and has extension .prx
19/05/2004 23:34:02:15383: p_s: compare wmsyspr9.prx
against perlscanner database
19/05/2004 23:34:02:15383: p_s: finished scan of dir
"/var/spool/qmailscan/mail.example.com108498084243115383"
in 0.003664 secs
19/05/2004 23:34:02:15383: ini_sc: recursively scan
the directory
/var/spool/qmailscan/mail.example.com108498084243115383/
19/05/2004 23:34:02:15383: scanloop: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: uvscan: starting scan of
directory
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: run /usr/local/bin/uvscan
-v -r --secure --fam --unzip --macro-heuristics
/var/spool/qmailscan/mail.example.com108498084243115383
2>&1
19/05/2004 23:34:02:15383: --output of uvscan was:
Scanning
/var/spool/qmailscan/mail.example.com108498084243115383/*
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/1084980852.15385-0.mail.example.com
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx
Scanning file
/var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx/WMSysPr9.prx
--
19/05/2004 23:34:02:15383: uvscan: finished scan of
dir
"/var/spool/qmailscan/mail.example.com108498084243115383"
in 0.528814 secs
19/05/2004 23:34:02:15383: scanloop: finished scan of
"/var/spool/qmailscan/mail.example.com108498084243115383"...
19/05/2004 23:34:02:15383: ini_sc: scanning message
took 0.53301 seconds
19/05/2004 23:34:02:15383: q_r: fork off child into
/var/qmail/bin/qmail-queue...
19/05/2004 23:34:02:15383: cleanup: /bin/rm -rf
/var/spool/qmailscan/mail.example.com108498084243115383/
/var/spool/qmailscan/working/new/mail.example.com108498084243115383
19/05/2004 23:34:13:15383: all finished. Total of
11.178623 secs
Regards,
rootlinux
--- Chuck <[EMAIL PROTECTED]> wrote:
> On Wed May 19 2004 09:31 am, root linux wrote:
>
> honestly that doesn't look at all unusual to me if
> you receive a lot of email.
> our process list is almost triple that all the time.
> however there is one
> thing you should do, since you could be bottled up
> in either a/v processing,
> spam processing or writing out in a large quarantine
> directory.
>
> first examine message headers. At the end of the
> qmail-scanner-queue entry
> will be a process time. with only a few exceptions
> it should NEVER exceed 0.3
> seconds. If it does, look for reasons why it is
> being delayed in the external
> processes. Also, be sure to empty your quarantine
> directories often. if the
> directories get too large it will take forever to
> write the new ones out.
> also limit your quarantine notifications to one or
> two deliveries instead of
> a list of people. I delete ours every 3 hours. we
> accumulate almost a gb of
> quarantines in about 5 hrs of running, so I delete
> them all every 3 hours for
> safety and to keep things running quickly. other
> than that, it looks like an
> average semi-busy server to me.
>
>
> Chuck
>
> > Hi all,
> >
> > I have lots of the below process running when I
> run
> > "ps -ef" at the command prompt, is it normal?
> >
> > Btw, I am running Red Hat 7.2 with qmail 1.03 and
> > qmail-scanner 1.16
> >
> > qmaild 6407 5946 0 21:12 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6408 6407 0 21:12 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6414 5946 0 21:12 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6419 6414 0 21:12 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6453 5946 0 21:13 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6543 5946 0 21:14 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6553 6543 0 21:14 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6557 5946 0 21:14 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6682 5946 0 21:15 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6713 5946 0 21:15 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6714 6713 0 21:15 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6748 5946 0 21:16 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6749 6748 0 21:16 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6758 5946 0 21:16 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6759 6758 0 21:16 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6806 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6807 6806 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6808 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6813 6808 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6823 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6825 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6826 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6827 6823 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6828 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6829 6825 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmailq 6830 6826 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmailq 6831 6828 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6832 5946 0 21:17 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6845 6832 0 21:17 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6862 5946 0 21:18 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6864 6862 0 21:18 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6869 5946 0 21:18 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6870 6869 0 21:18 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6896 5946 0 21:18 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6897 6896 0 21:18 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6903 5946 0 21:18 pts/0 00:00:00
> > qmail-smtpd
> > qmaild 6908 5946 0 21:18 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6909 6908 0 21:18 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6946 5946 0 21:19 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6947 6946 0 21:19 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6964 5946 0 21:19 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6965 6964 0 21:19 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > qmaild 6974 5946 0 21:19 pts/0 00:00:00
> > qmail-smtpd
> > qmailq 6983 6974 2 21:19 pts/0 00:00:00
> > /usr/bin/suidperl
> > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> >
> > Regards,
> > rootlinux
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! - Internet access at a great low price.
> > http://promo.yahoo.com/sbc/
> >
> >
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by: SourceForge.net
> Broadband
> > Sign-up now for SourceForge Broadband and get the
> fastest
> > 6.0/768 connection for only $19.95/mo for the
> first 3 months!
> >
>
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> > _______________________________________________
> > Qmail-scanner-general mailing list
> > [EMAIL PROTECTED]
> >
>
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
> --
>
> Chuck
>
> "...and the hordes of M$*ft users descended upon me
> in their anger,
> and asked 'Why do you not get the viruses or the
> BlueScreensOfDeath
> or insecure system troubles and slowness or pay
> through the nose
> for an OS as *we* do?!!', and I answered...'I use
> Linux'. "
> The Book of John, chapter 1, page 1, and end of book
>
>
>
>
>
-------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net
> Broadband
>
=== message truncated ===
__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/
-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
