Jeff I have been seeing this also. Running in debug mode showed this (I apologize for the poor pasting job):
LibClamAV Warning: URL http://ar.atwola.com/link/93227468/358490229/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1535965831/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/549135835/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/358100775/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1208146879/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/-2146799554/aoladp?tar get=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1380155871/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1754485370/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1109276555/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/31720177/aoladp?target =_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/882929591/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/406806840/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/973045234/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1394750689/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1652469958/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/853712414/aoladp?targe t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1437552535/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1109238927/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/1239947862/aoladp?targ et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) LibClamAV Warning: URL http://ar.atwola.com/link/93227468/3453579/aoladp?target= _blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached) It repeated continuously until clamd was stopped. Right now I have added an exception to prevent clam from scanning links with ar.atwola.com in it until I figure out what is going on and that seems to have stopped the problem (although I have only had it running well for about 2 hours now). I know this isn't much help but at least you know it isn;t only you. -Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Sent: Tuesday, October 23, 2007 3:55 PM To: [email protected] Subject: [clamav-win32] Fw: Long bursts of inbound traffic from clamd Correction...... this has been happening since Friday, not Wednesday. ----- Original Message ----- From: "Jeff" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, October 23, 2007 3:25 PM Subject: [clamav-win32] Long bursts of inbound traffic from clamd > Since last Wednesday our mail server has seen frequent long bursts (upwards of > 30-60 minutes each) of inbound traffic of 1-2 Mbps. Since this is a mail > server (running Windows Server 2003) I first thought the mail server was under > a DOS or spam attack. Not so. > > Shutting off all services, one by one through process of elimination, revealed > the culprit-- spamd.exe which runs as a service. Every time one of these > periods of sustained traffic occurs, we can immediately halt it by stopping > the clamd service. > > This is possibly UDP traffic, because "netstat -n" does not show any > established connections. > > We upgraded to the latest Clam version a few weeks ago, but this particular > problem has only been happening since last Wednesday. I've completely > un-installed ClamAV 0.91.2 and re-installed, but that has not helped. > > Anyone else seeing this, or have any clues what might be happening? > > > _______________________________________________ > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32 _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
