Topic: Is ClamAV/Freshclam the culprit?

[misnerspace]

Over the past 2 weeks I've been having some very strange problems with email and internet access via Dan's Guardian

Last week I looked through the qsmtpd log files I found the following which explained why qsmtpd was unresponsive and users could not send out mail
~~~~~~~~~~
@40000000462427c236ce8e44 4082 Too many connections: 40 >= 40.  Waiting one second.
@40000000462427c337044444 4082 Too many connections: 40 >= 40.  Waiting one second.
@40000000462427c4373ae88c 4082 Too many connections: 40 >= 40.  Waiting one second.
etc, etc
~~~~~~~~~~~~~~~~~~~~~

Dan's guardian also started to deny users access to the internet. This is a snip from the Dan's Guardian log file from last week
~~~~~~~~~~~~~~~~
http://rs.update.microsoft.com/odf/v6odf.xml?0704022318 *INFECTED* *DENIED*
> Error connecting to ClamD socket GET 1394 0 Content scanning 1 403 -  
> 2007.4.3 8:21:23 - 192.168.1.112
> http://download.microsoft.com/v6/windowsupdate/redir/wuredir.cab?0704022339
> *INFECTED* *DENIED* Error connecting to ClamD socket GET 1454 0 Content
> scanning 1 403 -  
> 2007.4.3 8:21:23 - 192.168.1.183
> http://download.microsoft.com/v6/windowsupdate/redir/wuredir.cab?0704022331
> *INFECTED* *DENIED* Error connecting to ClamD socket GET 1454 0 Content
> scanning 1 403 -  
> 2007.4.3 8:21:23 - 192.168.1.112
> http://download27.avast.com/iavs4x/servers.def.stamp *INFECTED* *DENIED*
~~~~~~~~~~~~~~~~~~

Today after about 5 days of peace it started happening again, the problems seemed to have started at 08:30 Tokyo time.  I received this email from  anonymous:
~~~~~~~~
2007-04-17 08:30:17.882007500 ClamAV update process started at Tue Apr 17 08:30:17 2007
2007-04-17 08:30:18.113659500 WARNING: Your ClamAV installation is OUTDATED!
2007-04-17 08:30:18.113664500 WARNING: Local version: 0.90.1 Recommended version: 0.90.2
2007-04-17 08:30:18.113667500 DON'T PANIC! Read http://www.clamav.net/support/faq
2007-04-17 08:30:18.113670500 main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
2007-04-17 08:30:19.486454500 daily.inc updated (version: 3104, sigs: 5668, f-level: 15, builder: ccordes)
2007-04-17 08:30:19.486467500 WARNING: Your ClamAV installation is OUTDATED!
2007-04-17 08:30:19.486471500 WARNING: Current functionality level = 14, recommended = 15
2007-04-17 08:30:19.486474500 DON'T PANIC! Read http://www.clamav.net/support/faq
2007-04-17 08:30:19.486519500 Database updated (110168 signatures) from db.local.clamav.net (IP: 203.178.137.175)
2007-04-17 08:30:19.486788500 Clamd successfully notified about the update.
2007-04-17 09:30:19.239702500 Received signal: wake up
2007-04-17 09:31:24.255754500 ERROR: Can't lock database directory: /var/clamav
~~~~~~~~~~~~~~~~~


Here's a snip from the freshclam log file

~~~~~~~~~~~~~~~
@400000004623eaf30fe1d19c WARNING: Your ClamAV installation is OUTDATED!
@400000004623eaf30fe1dd54 WARNING: Local version: 0.90.1 Recommended version: 0.90.2
@400000004623eaf30fe1ecf4 DON'T PANIC! Read http://www.clamav.net/support/faq
@400000004623eaf30fe1f8ac main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
@400000004623eaf40bf19054 Downloading daily-3103.cdiff [100%]
Downloading daily-3103.cdiff [100%]
@400000004623eaf40bf19ff4 daily.inc updated (version: 3103, sigs: 5121, f-level: 15, builder: sven)
@400000004623eaf40bf1af94 WARNING: Your ClamAV installation is OUTDATED!
@400000004623eaf40bf1bb4c WARNING: Current functionality level = 14, recommended = 15
@400000004623eaf40bf1caec DON'T PANIC! Read http://www.clamav.net/support/faq
@400000004623eaf40bf1d6a4 Database updated (109621 signatures) from db.local.clamav.net (IP: 203.178.137.175)
@400000004623eaf40c011ccc Clamd successfully notified about the update.
@400000004623f90338e9d10c Received signal: wake up
@400000004623f90338e9e0ac ClamAV update process started at Tue Apr 17 07:30:17 2007
@400000004623f90407c43284 WARNING: Your ClamAV installation is OUTDATED!
@400000004623f90407c44224 WARNING: Local version: 0.90.1 Recommended version: 0.90.2
@400000004623f90407c451c4 DON'T PANIC! Read http://www.clamav.net/support/faq
@400000004623f90407c45d7c main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
@400000004623f90407c46934 daily.inc is up to date (version: 3103, sigs: 5121, f-level: 15, builder: sven)
@400000004624071334924e2c Received signal: wake up
@400000004624071334925dcc ClamAV update process started at Tue Apr 17 08:30:17 2007
@400000004624071406c64e6c WARNING: Your ClamAV installation is OUTDATED!
@400000004624071406c661f4 WARNING: Local version: 0.90.1 Recommended version: 0.90.2
@400000004624071406c66dac DON'T PANIC! Read http://www.clamav.net/support/faq
@400000004624071406c67964 main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
@40000000462407151827e044 Downloading daily-3104.cdiff [  7%]
Downloading daily-3104.cdiff [ 17%]
Downloading daily-3104.cdiff [ 26%]
Downloading daily-3104.cdiff [ 36%]
Downloading daily-3104.cdiff [ 45%]
Downloading daily-3104.cdiff [ 55%]
Downloading daily-3104.cdiff [ 64%]
Downloading daily-3104.cdiff [ 73%]
Downloading daily-3104.cdiff [ 83%]
Downloading daily-3104.cdiff [ 92%]
Downloading daily-3104.cdiff [100%]
Downloading daily-3104.cdiff [100%]
@40000000462407151cfeb4e4 daily.inc updated (version: 3104, sigs: 5668, f-level: 15, builder: ccordes)
@40000000462407151cfee7ac WARNING: Your ClamAV installation is OUTDATED!
@40000000462407151cfef74c WARNING: Current functionality level = 14, recommended = 15
@40000000462407151cff0304 DON'T PANIC! Read http://www.clamav.net/support/faq
@40000000462407151cffb2cc Database updated (110168 signatures) from db.local.clamav.net (IP: 203.178.137.175)
@40000000462407151d03cd94 Clamd successfully notified about the update.
@40000000462415250e4991e4 Received signal: wake up
@40000000462415660f3e8104 ERROR: Can't lock database directory: /var/clamav
@400000004624237600948d4c Received signal: wake up
@40000000462423b701dcc8a4 ERROR: Can't lock database directory: /var/clamav
@4000000046242eee1edc65f4 ClamAV update process started at Tue Apr 17 11:20:20 2007
@4000000046242f021ef13de4 WARNING: Can't query current.cvd.clamav.net
@4000000046242f021ef14d84 WARNING: Invalid DNS reply. Falling back to HTTP mode.
@4000000046242f022066d684 Reading CVD header (main.cvd): ERROR: Can't get information about db.local.clamav.net: Temporary DNS error
@4000000046242f16208b46a4 main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
@4000000046242f16215d9a64 Reading CVD header (daily.cvd): ERROR: Can't get information about db.local.clamav.net: Temporary DNS error
@4000000046242f2a218002fc daily.inc is up to date (version: 3104, sigs: 5668, f-level: 15, builder: ccordes)
~~~~~~~~~~~~~~~~~~~~~~~

Around about the same time in the message log file I found this

~~~~~~~~~~~~~~~~~~~~~~~~~~

Apr 17 08:31:24 server7 dansguardian: Exception whilst reading ClamD socket: select() on input: timeout
Apr 17 08:31:24 server7 dansguardian: scanFile/Memory returned error: -1
Apr 17 08:31:54 server7 dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Apr 17 08:31:54 server7 dhcpd: DHCPACK to 192.168.1.102
Apr 17 08:31:57 server7 dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Apr 17 08:31:57 server7 dhcpd: DHCPACK to 192.168.1.102
Apr 17 08:31:58 server7 dansguardian: Exception whilst reading ClamD socket: select() on input: timeout
Apr 17 08:31:58 server7 dansguardian: scanFile/Memory returned error: -1
Apr 17 08:32:03 server7 dansguardian: Exception whilst reading ClamD socket: select() on input: timeout
Apr 17 08:32:03 server7 dansguardian: scanFile/Memory returned error: -1
Apr 17 08:32:05 server7 last message repeated 9 times
Apr 17 08:32:06 server7 dhcpd: DHCPDISCOVER from 00:17:31:2e:83:2f via eth0
Apr 17 08:32:07 server7 dhcpd: DHCPOFFER on 192.168.1.167 to 00:17:31:2e:83:2f (desouzac-ele2) via eth0
Apr 17 08:32:07 server7 dhcpd: DHCPREQUEST for 192.168.1.167 (192.168.1.1) from 00:17:31:2e:83:2f (desouzac-ele2) via eth0
Apr 17 08:32:07 server7 dhcpd: DHCPACK on 192.168.1.167 to 00:17:31:2e:83:2f (desouzac-ele2) via eth0
Apr 17 08:32:08 server7 dansguardian: Exception whilst reading ClamD socket: select() on input: timeout
Apr 17 08:32:08 server7 dansguardian: scanFile/Memory returned error: -1
Apr 17 08:32:15 server7 dansguardian: Exception whilst reading ClamD socket: select() on input: timeout
Apr 17 08:32:15 server7 dansguardian: scanFile/Memory returned error: -1
Apr 17 08:33:03 server7 dhcpd: DHCPINFORM from 192.168.1.167 via eth0
~~~~~~~~~~~~~~~~~~~~



I rebooted at about 11:00 and everything seemed to work fine for a while, then the number of instances of SMTP connections started to build up until it maxed out at 40 about an hour and a half later.

I tried starting and stopping qsmtpd but it didn't work, the connections just started building upi again. Is there anything I'm doing wrong (my server is up to date)?

I've just rebooted (again) in the hope that it will be ok this time......

I know this may be a potential bug (http://bugs.contribs.org/show_bug.cgi?id=2743) but I was wondering if there is anything I can do to keep everyone happy in terms of getting email.

[Virtus]

I have the exact problem..

[kevinb]

We jsut got it last night also!

[misnerspace]

It happened again to me at about 18:30 yesterday (April 18th Tokyo time)

~Freshclam snip
~~~~~~~~~~~~~~~~
007-04-18 18:34:42.383433500 ClamAV update process started at Wed Apr 18 18:34:42 2007
2007-04-18 18:34:42.524523500 WARNING: Your ClamAV installation is OUTDATED!
2007-04-18 18:34:42.524535500 WARNING: Local version: 0.90.1 Recommended version: 0.90.2
2007-04-18 18:34:42.524539500 DON'T PANIC! Read http://www.clamav.net/support/faq
2007-04-18 18:34:42.524613500 main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)

~Dans'Guardian
~~~~~~~~~~~~~~~~~~
2007.4.18 18:36:08 - 192.168.1.178 http://rs.update.microsoft.com/odf/v6odf.xml?0704180942 *INFECTED* *DENIED* Exception whist reading ClamD socket: select() on input: timeout GET 1394 0 Content scanning 1 403 -  
2007.4.18 18:37:08 - 192.168.1.178 http://rs.update.microsoft.com/odf/v6odf.xml?0704180942 *INFECTED* *DENIED* Exception whist reading ClamD socket: select() on input: timeout GET 1394 0 Content scanning 1 403 -  
2007.4.18 18:38:08 - 192.168.1.178 http://rs.update.microsoft.com/odf/v6odf.xml?0704180942 *INFECTED* *DENIED* Exception whist reading ClamD socket: select() on input: timeout GET 1394 0 Content scanning 1 403 -  


~qsmtpd
~~~~~~~~~~~~~~~~~~~~
2007-04-18 19:46:29.052915500 347 Plugin tnef2mime, hook data_post returned DECLINED,
2007-04-18 19:46:29.052920500 347 running plugin (data_post): spamassassin
2007-04-18 19:46:29.052924500 347 spamassassin plugin: check_spam
2007-04-18 19:46:29.052927500 347 spamassassin plugin: check_spam: connected to spamd
2007-04-18 19:46:29.052930500 347 spamassassin plugin: check_spam: finished sending to spamd
2007-04-18 19:46:29.593824500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:30.601020500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:31.603514500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:32.606188500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:33.608055500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:34.609847500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:35.611958500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:36.613453500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:37.615058500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:38.255176500 347 spamassassin plugin: check_spam: spamd: SPAMD/1.1 0 EX_OK
2007-04-18 19:46:38.255180500
2007-04-18 19:46:38.255506500 347 trying to get config for me
2007-04-18 19:46:38.255815500 347 spamassassin plugin: check_spam: spamd: Content-length: 130
2007-04-18 19:46:38.255818500
2007-04-18 19:46:38.255948500 347 spamassassin plugin: check_spam: spamd: Spam: True ; 10.1 / 3.0
2007-04-18 19:46:38.255952500
2007-04-18 19:46:38.256085500 347 spamassassin plugin: check_spam: spamd:
2007-04-18 19:46:38.256088500
2007-04-18 19:46:38.256224500 347 spamassassin plugin: check_spam: finished reading from spamd
2007-04-18 19:46:38.256652500 347 spamassassin plugin: check_spam: Yes, hits=10.1, required=3.0, tests=FORWARD_LOOKING,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_XBL
2007-04-18 19:46:38.256823500 347 Plugin spamassassin, hook data_post returned DECLINED,
2007-04-18 19:46:38.256937500 347 running plugin (data_post): virus::clamav
2007-04-18 19:46:38.257150500 347 virus::clamav plugin: Changing permissions on file to permit scanner access
2007-04-18 19:46:38.257286500 347 virus::clamav plugin: Running: /usr/bin/clamdscan --stdout  --disable-summary /var/spool/qpsmtpd/1176893188:347:0 2>&1
2007-04-18 19:46:38.616952500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:39.618638500 3755 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 19:46:40.620441500 3755 Too many connections: 40 >= 40.  Waiting one second.

This is actually becoming quite a problem (I've also got my boss on my back, it doesn't help that he's from the M*******t camp)

I could disable virus scanning in Dans Guardian and email but I'm little aprehensive in doing this as I'm very paranoid about security.

Are your log files looking similar?

Has anyone got any workarounds for this apart from effectivley disabling ClamAV/Freshclam.

Could I disable Freshclam as I think this is the component causing the problems, it will mean that my virus database will be out of date but it would be better to have some virus protection rather than none at all.

Maybe I could attempt to update it manually, say once a day.

Any ideas would be welcome

thanks

[misnerspace]

Looks like the experts are on the case which is fantastic news!!

Fingers crossed that there is a fix soon.


http://bugs.contribs.org/show_bug.cgi?id=2743

[kevinb]

Here are our logs:

freshclam log:

Code: [Select]


--------------------------------------
Current working dir is /var/clamav
Max retries == 6
ClamAV update process started at Tue Apr 17 04:07:43 2007
Querying current.cvd.clamav.net
TTL: 294
Software version from DNS: 0.90.2
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.90.1 Recommended version: 0.90.2
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd version from DNS: 43
main.inc is up to date (version: 43, sigs: 104500, f-level: 14, builder: sven)
daily.cvd version from DNS: 3109
daily.inc is up to date (version: 3109, sigs: 5701, f-level: 15, builder: ccordes)
--------------------------------------
Current working dir is /var/clamav
Max retries == 6
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
Waiting to lock database directory: /var/clamav
ERROR: Can't lock database directory: /var/clamav



dansguardian log:

Code: [Select]


2007.4.18 4:30:40 - 192.168.11.225 http://www.google.com/ *INFECTED* *DENIED* Exception whist reading ClamD socket: select() on input: timeout GET 3877 0 Content scanning 1 403 text/html  defaultgroup
2007.4.18 4:40:40 - 192.168.11.225 http://www.google.com/ *INFECTED* *DENIED* Exception whist reading ClamD socket: select() on input: timeout GET 3877 0 Content scanning 1 403 text/html  defaultgroup

Note .... over 4 hours of no log entries here Processor histry shows it was max'd out. Was there a system virus scan going on?

2007.4.18 8:38:57 - 192.168.11.13 http://database.clamav.net/main.cvd  GET 0 0  1 304 -  defaultgroup
2007.4.18 9:14:47 - 192.168.11.227 http://www.searchex.com/?hp *DENIED* Banned site: searchex.com GET 0 0  1 403 text/html  defaultgroup


2007.4.18 10:29:11 - 192.168.11.10 http://guru.grisoft.com/softw/70free/update/avginfo.ctf *INFECTED* *DENIED* Error connecting to ClamD socket GET 5983 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.2 http://tcontent.quickbooks.com/PingCompanyRq *INFECTED* *DENIED* Error connecting to ClamD socket POST 463 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.10 http://database.clamav.net/daily.cvd *INFECTED* *DENIED* Error connecting to ClamD socket GET 512 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.226 http://ds.dellfix.com/agent/maintenance/status.txt *INFECTED* *DENIED* Error connecting to ClamD socket GET 14 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.19 http://database.clamav.net/main.cvd *INFECTED* *DENIED* Error connecting to ClamD socket GET 512 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.16 http://clamwin.sourceforge.net/clamwin.ver *INFECTED* *DENIED* Error connecting to ClamD socket GET 238 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.18 http://clamwin.sourceforge.net/clamwin.ver *INFECTED* *DENIED* Error connecting to ClamD socket GET 238 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:11 - 192.168.11.225 http://www.google.com/ *INFECTED* *DENIED* Error connecting to ClamD socket GET 3877 0 Content scanning 1 403 text/html  defaultgroup
2007.4.18 10:29:11 - 192.168.11.226 http://ds.dellfix.com/agent/maintenance/status.txt *INFECTED* *DENIED* Error connecting to ClamD socket GET 14 0 Content scanning 1 403 text/plain  defaultgroup
2007.4.18 10:29:12 - 192.168.11.2 http://update.adobe.com/pub/adobe/acrobat/js/7x/rdr/win/enu/DataScript.js *INFECTED* *DENIED* Error connecting to ClamD socket GET 37173 0 Content scanning 1 403 application/x-javascript  defaultgroup
2007.4.18 10:34:01 - 192.168.11.2 http://www.isaz.org/ *SCANNED*  GET 9548 -20  1 200 text/html  defaultgroup



qsmtpd log:

Code: [Select]


2007-04-18 05:31:27.916891500 487 250 isaz.org Hi Unknown [121.227.118.75]; I am so happy to meet you.
2007-04-18 05:31:28.081245500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:28.208324500 487 dispatching MAIL From:<deconometrica@foundationalhealth.com>
2007-04-18 05:31:28.213313500 487 full from_parameter: From:<deconometrica@foundationalhealth.com>
2007-04-18 05:31:28.213324500 487 from email address : [<deconometrica@foundationalhealth.com>]
2007-04-18 05:31:28.213328500 487 running plugin (mail): require_resolvable_fromhost
2007-04-18 05:31:28.213658500 487 trying to get config for invalid_resolvable_fromhost
2007-04-18 05:31:28.218581500 487 trying to get config for require_resolvable_fromhost
2007-04-18 05:31:28.220485500 487 Plugin require_resolvable_fromhost, hook mail returned DECLINED,
2007-04-18 05:31:28.221348500 487 running plugin (mail): check_badmailfrom
2007-04-18 05:31:28.222434500 487 trying to get config for badmailfrom
2007-04-18 05:31:28.224432500 487 Plugin check_badmailfrom, hook mail returned DECLINED,
2007-04-18 05:31:28.225541500 487 getting mail from <deconometrica@foundationalhealth.com>
2007-04-18 05:31:28.226514500 487 250 <deconometrica@foundationalhealth.com>, sender OK - how exciting to get mail from you!
2007-04-18 05:31:29.084287500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:29.415222500 487 dispatching RCPT To:<frenchcactus@isaz.org>
2007-04-18 05:31:29.416756500 487 to email address : [<frenchcactus@isaz.org>]
2007-04-18 05:31:29.418028500 487 running plugin (rcpt): check_badmailfrom
2007-04-18 05:31:29.419232500 487 Plugin check_badmailfrom, hook rcpt returned DECLINED,
2007-04-18 05:31:29.420057500 487 running plugin (rcpt): check_badrcptto_patterns
2007-04-18 05:31:29.421088500 487 trying to get config for badrcptto_patterns
2007-04-18 05:31:29.423477500 487 Plugin check_badrcptto_patterns, hook rcpt returned DECLINED,
2007-04-18 05:31:29.424344500 487 running plugin (rcpt): check_badrcptto
2007-04-18 05:31:29.425456500 487 trying to get config for badrcptto
2007-04-18 05:31:29.428182500 487 Plugin check_badrcptto, hook rcpt returned DECLINED,
2007-04-18 05:31:29.429017500 487 running plugin (rcpt): rcpt_ok
2007-04-18 05:31:29.430120500 487 trying to get config for me
2007-04-18 05:31:29.431056500 487 trying to get config for rcpthosts
2007-04-18 05:31:29.433465500 487 Plugin rcpt_ok, hook rcpt returned OK,
2007-04-18 05:31:29.434550500 487 250 <frenchcactus@isaz.org>, recipient ok
2007-04-18 05:31:29.715183500 487 dispatching DATA
2007-04-18 05:31:29.720193500 487 354 go ahead
2007-04-18 05:31:29.720203500 487 trying to get config for databytes
2007-04-18 05:31:29.720207500 487 max_size: 15000000 / size: 0
2007-04-18 05:31:29.720735500 487 trying to get config for timeout
2007-04-18 05:31:30.087066500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:31.090065500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:32.092975500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:33.094912500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:34.097871500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:35.100738500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:36.103643500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:37.105569500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:38.108465500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:39.110407500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:39.358660500 487 spooling message to disk
2007-04-18 05:31:39.647352500 487 max_size: 15000000 / size: 1802
2007-04-18 05:31:39.647362500 487 trying to get config for me
2007-04-18 05:31:39.652362500 487 running plugin (data_post): check_basicheaders
2007-04-18 05:31:39.652372500 487 Plugin check_basicheaders, hook data_post returned DECLINED,
2007-04-18 05:31:39.652377500 487 running plugin (data_post): tnef2mime
2007-04-18 05:31:39.716359500 487 Plugin tnef2mime, hook data_post returned DECLINED,
2007-04-18 05:31:39.717233500 487 running plugin (data_post): spamassassin
2007-04-18 05:31:39.718479500 487 spamassassin plugin: check_spam
2007-04-18 05:31:39.722668500 487 spamassassin plugin: check_spam: connected to spamd
2007-04-18 05:31:39.740958500 487 spamassassin plugin: check_spam: finished sending to spamd
2007-04-18 05:31:40.113310500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:41.116216500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:42.119060500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:43.121115500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:44.124081500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:45.126890500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:46.129797500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:47.131725500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:47.151515500 487 spamassassin plugin: check_spam: spamd: SPAMD/1.1 0 EX_OK
2007-04-18 05:31:47.151524500
2007-04-18 05:31:47.151528500 487 trying to get config for me
2007-04-18 05:31:47.161723500 487 spamassassin plugin: check_spam: spamd: Content-length: 89
2007-04-18 05:31:47.161733500
2007-04-18 05:31:47.166719500 487 spamassassin plugin: check_spam: spamd: Spam: True ; 7.0 / 5.0
2007-04-18 05:31:47.166729500
2007-04-18 05:31:47.166733500 487 spamassassin plugin: check_spam: spamd:
2007-04-18 05:31:47.166737500
2007-04-18 05:31:47.166740500 487 spamassassin plugin: check_spam: finished reading from spamd
2007-04-18 05:31:47.166744500 487 spamassassin plugin: check_spam: Yes, hits=7.0, required=5.0, tests=FORWARD_LOOKING,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,RCVD_IN_XBL
2007-04-18 05:31:47.166751500 487 Plugin spamassassin, hook data_post returned DECLINED,
2007-04-18 05:31:47.171720500 487 running plugin (data_post): spamassassin
2007-04-18 05:31:47.171730500 487 Plugin spamassassin, hook data_post returned DECLINED,
2007-04-18 05:31:47.171734500 487 running plugin (data_post): virus::clamav
2007-04-18 05:31:47.171738500 487 virus::clamav plugin: Changing permissions on file to permit scanner access
2007-04-18 05:31:47.171743500 487 virus::clamav plugin: Running: /usr/bin/clamdscan --stdout  --disable-summary /var/spool/qpsmtpd/1176899499:487:0 2>&1
2007-04-18 05:31:48.134667500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:49.137592500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:50.140486500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:51.143381500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:52.146324500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:53.149234500 4194 Too many connections: 40 >= 40.  Waiting one second.
2007-04-18 05:31:54.152205500 4194 Too many connections: 40 >= 40.  Waiting one second.

2007-04-18 05:31:55.155055500 4194 Too many connections: 40 >= 40.  Waiting one second.   -   Note: This now goes on forever.



Just throughing out an idea here .... I'm thinking a system clamscan was taking place when freshclam tried to update. Clamscan had locked something that freshclam did not like. This caused a lockup.

Or maybe not

Kevin

[misnerspace]

the same problem happened again today. This time it had problems around 02:00 Tokyo time. The interesting thing here is that it seems to be happening on Tuesday but this may just be a coincidence, anybody else have any freshclam update problems today?