qmail-scanner-queue.pl processes

Chuck Wed, 19 May 2004 09:58:10 -0700

On Wed May 19 2004 11:54 am, root linux wrote:
hmm. odd. i am going to top-answer this one due to its length. tail the queue 
log and see if you can manually notice the delay. according to the av scanner 
it only took .5 secs to complete its scan yet the entire thing took 11 
seconds? very odd. the most i have ever seen our system take was about 2 
seconds when it had to unzip an 18mb file attachment and scan the contents. 
the internal known virus comparisons and unwanted extension comparisons are 
so fast they cannot be a contributing factor.


by any chance is this a slower machine? that can have some effect on it (ours 
is only 700-mhz but it is more than sufficient). also how much ram do you 
have installed? if you can please paste a complete free report about this. 
running out of ram can also cause this behavior (ours is 1gb.. we topped ram 
quite a bit when we had 512mb). does anything else live on this machine or is 
it dedicated to qmail?


Chuck

> Here is the mail message header: -
>
> Return-Path: <[EMAIL PROTECTED]>
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 15388 invoked by uid 504); 19 May
> 2004 15:34:13 -0000
> Received: from [EMAIL PROTECTED] by mail.example.com
> by uid 501 with qmail-scanner-1.16 (ehost Clear:.
> Processed in 11.096361 secs); 19 May 2004 15:34:13
> -0000
> Received: from unknown (HELO mail.yahoo.com) (1.1.1.1)
> by 0 with SMTP; 19 May 2004 15:34:02 -0000
> Received: from mail.yahoo.com (intermail [127.0.0.1])
> by mail.yahoo.com (8.12.8/8.12.8) with ESMTP id
> i4JFUssu019078 for <[EMAIL PROTECTED]>; Wed, 19
> May 2004 23:30:54 +0800
> From: "rootlinux" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] Subject: test - 11:41pm
> Date: Wed, 19 May 2004 23:30:54 +0800
> Message-Id: <[EMAIL PROTECTED]>
> Mime-Version: 1.0 Content-Type:
>
>
> Here is the qmail-queue.log: -
>
> 19/05/2004 23:34:02:15383: +++ starting debugging for
> process 15383 by uid=501 at 19/05/2004 23:34:02
> 19/05/2004 23:34:02:15383: setting UID to EUID so
> subprocesses can access files generated by this script
> 19/05/2004 23:34:02:15383: program name is
> qmail-scanner-queue.pl, version 1.16
> 19/05/2004 23:34:02:15383: incoming SMTP connection
> from via smtp from 1.1.1.1
> 19/05/2004 23:34:02:15383: w_c: mkdir
> /var/spool/qmailscan/mail.example.com108498084243115383
> 19/05/2004 23:34:02:15383: w_c: start dumping incoming
> msg into
> /var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
> [1084980842.13506]
> 19/05/2004 23:34:02:15383: w_c: rename new msg from
> /var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
> to
> /var/spool/qmailscan/working/new/mail.example.com108498084243115383
> [1084980852.63514]
> 19/05/2004 23:34:02:15383: d_m: starting
> /usr/local/bin/reformime
> -x/var/spool/qmailscan/mail.example.com108498084243115383/
> </var/spool/qmailscan/working/new/mail.example.com108498084243115383
> [1084980852.63558]
> 19/05/2004 23:34:02:15383: d_m: finished
> /usr/local/bin/reformime
> -x/var/spool/qmailscan/mail.example.com108498084243115383/
> [1084980852.69235]
> 19/05/2004 23:34:02:15383: d_m: Manually unpack any
> zip files as some virus scanners don't do zip under
> Unix!
> 19/05/2004 23:34:02:15383: d_m: unpacking message took
> 0.057176 seconds
> 19/05/2004 23:34:02:15383: unsetting QMAILQUEUE env
> var
> 19/05/2004 23:34:02:15383: g_e_h: return-path is
> "[EMAIL PROTECTED]", recips is
> "[EMAIL PROTECTED]"
> 19/05/2004 23:34:02:15383: from="rootlinux"
> <[EMAIL PROTECTED]>,subj=test - 11:41pm,
> x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
> via smtp from 1.1.1.1
> 19/05/2004 23:34:02:15383: ini_sc: start scanning
> 19/05/2004 23:34:02:15383: p_s: starting scan of
> directory
> "/var/spool/qmailscan/mail.example.com108498084243115383"...
> 19/05/2004 23:34:02:15383: p_s:  '81:ILOVEYOU' =
> 'Virus-subject' = 'Love Letter Virus/Trojan'
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing subject: ILOVEYOU
> 19/05/2004 23:34:02:15383: p_s:  '82:message/partial'
> = 'Virus-content-type' = 'Message/partial MIME
> attachments blocked by policy'
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing content-type: message/partial
> 19/05/2004 23:34:02:15383: p_s:  '85:.{100,}' =
> 'Virus-date' = 'MIME Header Buffer Overflow'
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing date: .{100,}
> 19/05/2004 23:34:02:15383: p_s:  '86:.{100,}' =
> 'Virus-mime-version' = 'MIME Header Buffer Overflow '
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing mime-version: .{100,}
> 19/05/2004 23:34:02:15383: p_s:  '87:.{100,}' =
> 'Virus-resent-date' = 'MIME Header Buffer Overflow'
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing resent-date: .{100,}
> 19/05/2004 23:34:02:15383: p_s:
> '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>re.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZ
>[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog
>@krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
> 19/05/2004 23:34:02:15383: p_s:  type is a header!
> 19/05/2004 23:34:02:15383: p_s:  checking for objects
> containing to:
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>om|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>vatka.net|[EMAIL PROTECTED] 19/05/2004 23:34:02:15383: p_s:  'eicar.com' =
> '69' =
> 'EICAR Test Virus'
> 19/05/2004 23:34:02:15383: p_s: type is a size!
> 19/05/2004 23:34:02:15383: p_s:  'happy99.exe' =
> '10000' = 'Happy99 Trojan'
> 19/05/2004 23:34:02:15383: p_s: type is a size!
> 19/05/2004 23:34:02:15383: p_s:  'zipped_files.exe' =
> '120495' = 'W32/ExploreZip.worm.pak virus'
> 19/05/2004 23:34:02:15383: p_s: type is a size!
> 19/05/2004 23:34:02:15383: p_s: skipping
> auto-generated file
> 1084980852.15385-0.mail.example.com
> 19/05/2004 23:34:02:15383: p_s: checking WMSysPr9.prx
> against perlscanner database...
> 19/05/2004 23:34:02:15383: p_s: file WMSysPr9.prx is
> lowercased to wmsyspr9.prx and has extension .prx
> 19/05/2004 23:34:02:15383: p_s: compare wmsyspr9.prx
> against perlscanner database
> 19/05/2004 23:34:02:15383: p_s:  finished scan of dir
> "/var/spool/qmailscan/mail.example.com108498084243115383"
> in 0.003664 secs
> 19/05/2004 23:34:02:15383: ini_sc: recursively scan
> the directory
> /var/spool/qmailscan/mail.example.com108498084243115383/
> 19/05/2004 23:34:02:15383: scanloop: starting scan of
> directory
> "/var/spool/qmailscan/mail.example.com108498084243115383"...
> 19/05/2004 23:34:02:15383: uvscan: starting scan of
> directory
> "/var/spool/qmailscan/mail.example.com108498084243115383"...
> 19/05/2004 23:34:02:15383: run /usr/local/bin/uvscan
> -v -r --secure --fam --unzip --macro-heuristics
> /var/spool/qmailscan/mail.example.com108498084243115383
>    2>&1
> 19/05/2004 23:34:02:15383: --output of uvscan was:
> Scanning
> /var/spool/qmailscan/mail.example.com108498084243115383/*
> Scanning file
> /var/spool/qmailscan/mail.example.com108498084243115383/1084980852.15385-0.
>mail.example.com Scanning file
> /var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx
> Scanning file
> /var/spool/qmailscan/mail.example.com108498084243115383/WMSysPr9.prx/WMSysP
>r9.prx --
> 19/05/2004 23:34:02:15383: uvscan: finished scan of
> dir
> "/var/spool/qmailscan/mail.example.com108498084243115383"
> in 0.528814 secs
> 19/05/2004 23:34:02:15383: scanloop: finished scan of
> "/var/spool/qmailscan/mail.example.com108498084243115383"...
> 19/05/2004 23:34:02:15383: ini_sc: scanning message
> took 0.53301 seconds
> 19/05/2004 23:34:02:15383: q_r: fork off child into
> /var/qmail/bin/qmail-queue...
> 19/05/2004 23:34:02:15383: cleanup: /bin/rm -rf
> /var/spool/qmailscan/mail.example.com108498084243115383/
> /var/spool/qmailscan/working/new/mail.example.com108498084243115383
> 19/05/2004 23:34:13:15383: all finished. Total of
> 11.178623 secs
>
> Regards,
> rootlinux
>
> --- Chuck <[EMAIL PROTECTED]> wrote:
> > On Wed May 19 2004 09:31 am, root linux wrote:
> >
> > honestly that doesn't look at all unusual to me if
> > you receive a lot of email.
> > our process list is almost triple that all the time.
> > however there is one
> > thing you should do, since you could be bottled up
> > in either a/v processing,
> > spam processing or writing out in a large quarantine
> > directory.
> >
> > first examine message headers. At the end of the
> > qmail-scanner-queue entry
> > will be a process time. with only a few exceptions
> > it should NEVER exceed 0.3
> > seconds. If it does, look for reasons why it is
> > being delayed in the external
> > processes.  Also, be sure to empty your quarantine
> > directories often. if the
> > directories get too large it will take forever to
> > write the new ones out.
> > also limit your quarantine notifications to one or
> > two deliveries instead of
> > a list of people. I delete ours every 3 hours. we
> > accumulate almost a gb of
> > quarantines in about 5 hrs of running, so I delete
> > them all every 3 hours for
> > safety and to keep things running quickly. other
> > than that, it looks like an
> > average semi-busy server to me.
> >
> >
> > Chuck
> >
> > > Hi all,
> > >
> > > I have lots of the below process running when I
> >
> > run
> >
> > > "ps -ef" at the command prompt, is it normal?
> > >
> > > Btw, I am running Red Hat 7.2 with qmail 1.03 and
> > > qmail-scanner 1.16
> > >
> > > qmaild    6407  5946  0 21:12 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6408  6407  0 21:12 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6414  5946  0 21:12 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6419  6414  0 21:12 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6453  5946  0 21:13 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6543  5946  0 21:14 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6553  6543  0 21:14 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6557  5946  0 21:14 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6682  5946  0 21:15 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6713  5946  0 21:15 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6714  6713  0 21:15 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6748  5946  0 21:16 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6749  6748  0 21:16 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6758  5946  0 21:16 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6759  6758  0 21:16 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6806  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6807  6806  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6808  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6813  6808  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6823  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6825  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6826  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6827  6823  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6828  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6829  6825  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmailq    6830  6826  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmailq    6831  6828  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6832  5946  0 21:17 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6845  6832  0 21:17 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6862  5946  0 21:18 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6864  6862  0 21:18 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6869  5946  0 21:18 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6870  6869  0 21:18 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6896  5946  0 21:18 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6897  6896  0 21:18 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6903  5946  0 21:18 pts/0    00:00:00
> > > qmail-smtpd
> > > qmaild    6908  5946  0 21:18 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6909  6908  0 21:18 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6946  5946  0 21:19 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6947  6946  0 21:19 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6964  5946  0 21:19 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6965  6964  0 21:19 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > > qmaild    6974  5946  0 21:19 pts/0    00:00:00
> > > qmail-smtpd
> > > qmailq    6983  6974  2 21:19 pts/0    00:00:00
> > > /usr/bin/suidperl
> > > /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl
> > >
> > > Regards,
> > > rootlinux
> > >
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > SBC Yahoo! - Internet access at a great low price.
> > > http://promo.yahoo.com/sbc/
>
> -------------------------------------------------------
>
> > > This SF.Net email is sponsored by: SourceForge.net
> >
> > Broadband
> >
> > > Sign-up now for SourceForge Broadband and get the
> >
> > fastest
> >
> > > 6.0/768 connection for only $19.95/mo for the
> >
> > first 3 months!
>
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
>
> > > _______________________________________________
> > > Qmail-scanner-general mailing list
> > > [EMAIL PROTECTED]
>
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
> > --
> >
> > Chuck
> >
> > "...and the hordes of M$*ft users descended upon me
> > in their anger,
> > and asked 'Why do you not get the viruses or the
> > BlueScreensOfDeath
> > or insecure system troubles and slowness or pay
> > through the nose
> > for an OS as *we* do?!!', and I answered...'I use
> > Linux'. "
> > The Book of John, chapter 1, page 1, and end of book
>
> -------------------------------------------------------
>
> > This SF.Net email is sponsored by: SourceForge.net
> > Broadband
>
> === message truncated ===
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! - Internet access at a great low price.
> http://promo.yahoo.com/sbc/
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

-- 

Chuck

"...and the hordes of M$*ft users descended upon me in their anger,
and asked 'Why do you not get the viruses or the BlueScreensOfDeath
or insecure system troubles and slowness or pay through the nose 
for an OS as *we* do?!!', and I answered...'I use Linux'. "
The Book of John, chapter 1, page 1, and end of book




-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Re: [Qmail-scanner-general]lots of /usr/bin/suidperl /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl processes

Reply via email to