Below are the logs for QS and SA for a test message I sent containing a PDF
file and some text. I will be posting the same information to the SA list.
Neither log says anything about pyzor or dcc. The softlimit for qmail-smtpd
is set to 5000000.
Any thoughts?
Cheers,
matthew
SPAMASSASSIN LOG
2003-09-05 16:01:24.630841500 logmsg: connection from localhost [127.0.0.1]
at port 43656
2003-09-05 16:01:24.645354500 logmsg: processing message
<[EMAIL PROTECTED]> for qscand:351.
2003-09-05 16:01:24.649457500 debug: bayes: 29889 tie-ing to DB file R/O
/opt/spamassassin/.spamassassin/bayes_toks
2003-09-05 16:01:24.650583500 debug: bayes: 29889 tie-ing to DB file R/O
/opt/spamassassin/.spamassassin/bayes_seen
2003-09-05 16:01:24.651115500 debug: debug: Only 1 spam(s) in Bayes DB < 200
2003-09-05 16:01:24.651174500 debug: bayes: 29889 untie-ing
2003-09-05 16:01:24.651203500 debug: bayes: 29889 untie-ing db_toks
2003-09-05 16:01:24.651455500 debug: bayes: 29889 untie-ing db_seen
2003-09-05 16:01:24.651856500 debug: running header regexp tests; score so
far=0
2003-09-05 16:01:24.663326500 debug: running body-text per-line regexp
tests; score so far=0
2003-09-05 16:01:24.679329500 debug: running raw-body-text per-line regexp
tests; score so far=0
2003-09-05 16:01:24.679949500 debug: running uri tests; score so far=0
2003-09-05 16:01:24.680139500 debug: uri tests: Done uriRE
2003-09-05 16:01:24.680868500 debug: running full-text regexp tests; score
so far=0
2003-09-05 16:01:24.682803500 debug: all '*From' addrs: [EMAIL PROTECTED]
2003-09-05 16:01:24.683607500 debug: all '*To' addrs:
[EMAIL PROTECTED]
2003-09-05 16:01:24.683961500 debug: forged_rcvd_trail: entry 0:
by=metissian.com from=(undef) mismatches=0
2003-09-05 16:01:24.684026500 debug: forged_rcvd_trail: entry 1: by=mac.com
from=mac.com mismatches=0
2003-09-05 16:01:24.686975500 debug: running meta tests; score so far=0
2003-09-05 16:01:24.687722500 debug: auto-learn? safety=4, ham=-2, spam=15,
body-hits=0, head-hits=0
2003-09-05 16:01:24.687749500 debug: auto-learn: currently using scoreset 0.
no need to recompute.
2003-09-05 16:01:24.687769500 debug: auto-learn? no: inside auto-learn
thresholds or safety zone around required_hits
2003-09-05 16:01:24.687857500 debug: is spam? score=0 required=5
tests=USER_AGENT_APPLEMAIL
2003-09-05 16:01:24.692358500 logmsg: clean message (0.0/5.0) for qscand:351
in 0.1 seconds, 137145 bytes.
2003-09-05 16:01:24.692653500 debug: bayes: 29889 untie-ing
QMAIL-SCANNER LOG
Fri, 05 Sep 2003 16:01:24 -0500:29880: +++ starting debugging for process
29880 by uid=89 at Fri, 05 Sep 2003 16:01:24 -0500
Fri, 05 Sep 2003 16:01:24 -0500:29880: setting UID to EUID so subprocesses
can access files generated by this script
Fri, 05 Sep 2003 16:01:24 -0500:29880: program name is
qmail-scanner-queue.pl, version 1.20rc3
Fri, 05 Sep 2003 16:01:24 -0500:29880: incoming SMTP connection from via
smtp from 17.250.248.89
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: mkdir
/var/spool/qmailscan/morpheus106279568445629880
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/morpheus106279568445629880
[1062795684.26177]
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: primary Content-Type of
multipart/mixed found
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: found a top-level boundary
definition of Apple\-Mail\-6\-736610710
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 1: Content-Type of
text/plain found
Fri, 05 Sep 2003 16:01:24 -0500:29880: found C-T attachment filename
clamdoc.pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment 2: Content-Type of
application/pdf found
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/morpheus106279568445629880 to
/var/spool/qmailscan/working/new/morpheus106279568445629880
[1062795684.59236]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: starting
/usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
</var/spool/qmailscan/working/new/morpheus106279568445629880
[1062795684.59263]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: finished
/usr/local/bin/reformime -x/var/spool/qmailscan/morpheus106279568445629880/
[1062795684.6086]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Checking all attachments to see
if they're MS-TNEF
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
/var/spool/qmailscan/morpheus106279568445629880/clamdoc.pdf is a TNEF file?:
256 [1062795684.61052]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
/var/spool/qmailscan/morpheus106279568445629880/1062795684.29882-0.morpheus
is a TNEF file?: 256 [1062795684.61237]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Manually unpack any zip files as
some virus scanners don't do zip under Unix!
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: unpacking message took 0.02006
seconds
Fri, 05 Sep 2003 16:01:24 -0500:29880: unsetting QMAILQUEUE env var
Fri, 05 Sep 2003 16:01:24 -0500:29880: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Fri, 05 Sep 2003 16:01:24 -0500:29880: from="Matthew E. Porter"
<[EMAIL PROTECTED]>,subj=pyzor/dcc test 1,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
via smtp from 17.250.248.89
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: start scanning
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: recursively scan the
directory /var/spool/qmailscan/morpheus106279568445629880/
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
scanner=clamuko_scanner,plain_text_msg=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: run /opt/clamav/bin/clamdscan -r
--disable-summary --max-recursion=10 --max-space=1000000
/var/spool/qmailscan/morpheus106279568445629880 2>&1
Fri, 05 Sep 2003 16:01:24 -0500:29880: --output of clamuko was:
/var/spool/qmailscan/morpheus106279568445629880: OK
--
Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.010678 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
scanner=spamassassin,plain_text_msg=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: run /usr/bin/spamc -f <
/var/spool/qmailscan/working/new/morpheus106279568445629880
Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: overwriting
/var/spool/qmailscan/working/new/morpheus106279568445629880 with
/var/spool/qmailscan/working/new/morpheus106279568445629880.spamc
Fri, 05 Sep 2003 16:01:24 -0500:29880: spamassassin: finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.085642 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: finished scan of
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '81:ILOVEYOU' = 'Virus-subject'
= 'Love Letter Virus/Trojan'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
subject: ILOVEYOU
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '82:message/partial.*' =
'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
content-type: message/partial.*
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '85:.{100,}' = 'Virus-date' =
'MIME Header Buffer Overflow'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
date: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
mime-version: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
resent-date: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking for objects containing
to:
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
atka.net|[EMAIL PROTECTED]
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'eicar.com' = '69' = 'EICAR
Test Virus'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'happy99.exe' = '10000' =
'Happy99 Trojan'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
perlscanner database...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
to clamdoc.pdf and has extension .pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
perlscanner database
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: skipping auto-generated file
1062795684.29882-0.morpheus
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
perlscanner database...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
to clamdoc.pdf and has extension .pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
perlscanner database
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.002922 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: scanning message took
0.099788 seconds
Fri, 05 Sep 2003 16:01:24 -0500:29880: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Fri, 05 Sep 2003 16:01:24 -0500:29890: q_r: xstatus=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: cleanup: /bin/rm -rf
/var/spool/qmailscan/morpheus106279568445629880/
/var/spool/qmailscan/working/new/morpheus106279568445629880
05/09/2003 16:01:24:29880: all finished. Total of 0.563409 secs
> From: "Steve Fulton" <[EMAIL PROTECTED]>
> Date: Fri, 5 Sep 2003 14:55:50 -0400 (EDT)
> To: [EMAIL PROTECTED]
> Subject: Re: [Qmail-scanner-general]QS + SpamAssassin with DCC & Pyzor
>
>> Anybody have any guesses, theories, and/or ideas? Thanks in advance!
>
> First I must ask what the logs say? Turn on debugging in Q-S and SA
> (you'll have to run the daemon in the foreground though, and cut and paste
> teh content). Fire a few test messages through. Look at what it says for
> DCC and Pyzor. If you still can't figure it out, ask the Q-S list AND the
> SA list, since it may be related to one or the other (though I'm betting
> its a SA issue). One guess may be memory -- what do you have softlimit
> set to?
>
> -- Steve
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
