Topic: clamav "problem" e-mails

[Alex Schaft]

Hi,

I've just installed ClamAV 0.87, and am getting 3-4 e-mails a day of mail being saved to the problems directory, If I then go to the web interface and deliver them, it goes through fine.

The amavis conf is at the default of not stopping for mime errors

I'm now upgrading to clamav 0.87.1, to see if it makes a difference.

This happens on mails with large (1-2 MB) zip attachments.

What else could I check?

Alex

[tandum]

I guess your using an SME 6x product.

Look in /etc/amavis-ng/amavis.conf for the maxspace setting.

Enlarge it in the /etc/e-smith/templates and see if that helps.

[Alex Schaft]

I guess your using an SME 6x product.

Look in /etc/amavis-ng/amavis.conf for the maxspace setting.

Enlarge it in the /etc/e-smith/templates and see if that helps.

I'm on 6.01-01 yes. I've upped the maxspace to 100M from 60M.

Would be nice if the thing told you what the problem was.

[tandum]

Would be nice if the thing told you what the problem was.

nods ... I had a similar issue. It tooks me ages to figure out it was av disk space. Logs showed a clam error. I upped the space to  several gig. The problem was it put the zip in that space and then unzipped it there and then scanned it there.

Remeber you need to change the option in the templates and then expand them and then signal an event so it's re read.

[Alex Schaft]

Remeber you need to change the option in the templates and then expand them and then signal an event so it's re read.

I've signalled an email-update, although I'm not sure it's needed. Amavis doesn't seem to run as a service, so I'm guessing it reads its config everytime it gets launched for a message

[Alex Schaft]

I've not got maxspace = 4000M, and still getting messages saved to the problems directory.

Is there a way to see what caused the error in the unzipping?

I've made a mod to /usr/lib/perl5/site_perl/5.6.1/AMAVIS/Extract/Zip.pm

  if ($ziperr != AZ_OK) {
    writelog($args,LOG_ERR, __PACKAGE__.": Error reading zip file".$ziperr);
    return 0;
Alex

[Knuddi]

Have you tried to check the log file which is reported when an email to admin is sent to the problems folder?

What does it say as reason?

[Alex Schaft]

It never gave a reason. It only said Error reading zip file.

I had disabled all extractors except mail today. I'll reenable it, and then post what it says

[Alex Schaft]

Hi,

Below the log from a problem e-mail:

Nov 18 09:59:00 mail amavis[13973]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-437d896f-3695
Nov 18 09:59:00 mail amavis[13973]: AMAVIS: Determined 00000000 to be type message/rfc822
Nov 18 09:59:00 mail amavis[13973]: Attempting to unpack 00000000 as MIME compliant message
Nov 18 09:59:00 mail amavis[13973]: AMAVIS: Determined 00000004 to be type application/x-zip
Nov 18 09:59:00 mail amavis[13973]: Attempting to unpack 00000004 as Zip file
Nov 18 09:59:00 mail amavis[13973]: AMAVIS::Extract::Zip: Error reading zip file
Nov 18 09:59:00 mail amavis[13973]: AMAVIS: Error while unpacking 00000004 as application/x-zip
Nov 18 09:59:00 mail amavis[13973]: AMAVIS: Giving up
Nov 18 09:59:00 mail amavis[13973]: AMAVIS: Error while unpacking message
Nov 18 09:59:00 mail amavis[13973]: AMAVIS::MTA::Qmail: Freezing message
Nov 18 09:59:00 mail amavis[13973]: Quarantining infected message to /var/spool/amavis-ng/problems/437d89c4-3695

The zip file is something called backup.001. I'll take a look at it.